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C yberllaw 



Using the RSA Algorithm for Encryption and 

Digitai Signatures: 

Can You Encrypt, Decrypt, Sign and Verify without 
Infringing the RSA Patent? 

Patrick J. Flinn and James M, Jordan llllZi 
(c) 1997 Alston & Bird LU> 
Q July 9, 1997 

'^ilublic key cryptography/* a method for encrypting messages to be transmitted over an insecure 
channel, and ^'digital signatures/ a method for authenticating the author of a message transmitted 
over an insecure channel, are emerging as fundamental tools for conducting business securely over 
thje Internet. These technologies are widely expected to be used to conduct billions of dollars in 
etectronic commerce within the next few years, however, the broad deployment of these technologies 
is substantially burdened by licensing demands being made by the owner of United States Patent No. 
4/^405,829, which is known as the "RSA Patent." It has become commonly accepted Internet lore that 
#jie RSA Patent covers most of the commonly used techniques for public key encryption and digital 
$i|natures, and that a patent license from the owner of the RSA Patent is necessary to employ these 
tyihniques. As this article explores in some detail, however, the RSA Patent is far more limited in 
and far more vulnerable to a validity challenge than is generally assumed. 

The RSA Algorithm and the RSA Patent 

The RSA Algorithm was named after Ronald Rivest, AdI Shamir and Leonard Adelman, who first 
Dublished the algorithm in April, 1977 .£11 Since that time, the algorithm has been employed in the 
most widely-used Internet electronic communications encryption program, Pretty Good Privacy (PG?), 
[2] It is also employed in both the Netscape Navigator and Microsoft Explorer web browsing programs 
in their implementations of the Secure Sockets Layer (SSL), and by Mastercard and VISA in the 
Secure Electronic Transactions (SET) protocol for credit card transactions. 

The RSA Algorithm is claimed in the RSA Patent, which was issued to Drs. Rivest, Shamir and 
Adelman, who exclusively licensed the patent nine days later to RSA Data Security, Inc., a company 
which was originally controlled by the inventors but is now a wholly-owned subsidiary of a Boston 
based company called Security Dynamics Technology, Inc. RSA Data has to date filed three lawsuits 
alleging infringement of the RSA Patent Two were settled prior to trial, and the third is still pending. 
Other litigation threats have been made regarding alleged infringements of the patent, including 
threats against non-commercial implementations for use by the Internet community. The patent 
expires on September 20, 2000, but that will be enough time for the patent to have a profound 
impact on the development of electronic commerce. 
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The existence of the patent, and RSA Data's aggressive litigation posture, have chilled the interest in 
both commercial and non-commercial implementations of public key encryption and digital signature 
technologies. Many have taken for granted the bald assertion that the "RSA Algorithm is patented," 
without examining the patent itself, or more particularly, the claims of the patent.UJ As we set forth 
in this article, however, a careful review of the patent reveals that the patent is not necessarily as 
broad as publicly asserted. More particularly, the decryption operation, standing alone, is not 
independently claimed at all in the patent. These weaknesses in the patent may be particularly 
relevant for digital signature operations because they may allow a developer to implement the 
protocol for verifying an RSA-generated digital signature without infringing the patent. In addition, if 
one separates the generation of the key pairs from the encryption operation, the claims of the patent 
do not cover the encryption (or signing) function by itself. 

Basic Uses of Public Key Encryption and Digital Signatures 

The RSA Algorithm is only one Implementation of the more general concept of public key 
cryptography, which permits two parties who have never met and who can only communicate on an 
insecure channel to nonetheless send secure and verifiable messages to each other. The Internet as 
currently structured Is an insecure communications channel with an obvious use for such 
technologies. Indeed, the greatest expected growth for public key techniques is in Internet-related 
communications* 

With public key techniques, each user has two different keys, one made available to the public and 
th^ other kept secret.L4] One of the keys is used to encrypt a message, and the other is used to 
d|c^pt the message* If Alice wants to send a secret message to Bob, for example, she looks up Bob's 
ptjfdilc key and uses it to encrypt the message. Because Bob's public key cannot undo the encryption 
pCfficess, no one who intercepts the message can read it. Only Bob, who possesses the secret key 
co^esponding to his public key, can read the message. Alice never has to meet Bob out of the hearing 
of others to exchange keys or passwords; this is a substantial improvement over older encryption 
methods in which an exchange of private keys was necessary. 

ThTs system can also be used as a means for Bob to be sure a message comes from Alice. If Alice 
wants to sign a message, she can encrypt it with her private key.£5I When Bob receives an encrypted 
nl^sage which purports to be from Alice, he can obtain Alice's public key and decrypt the message. If 
a readable message emerges. Bob can have confidence that the message came from Alice, because 
Aflge's public key would only properly unlock a message which was locked with her private key (known 
oe^ to Alice). £51 

Of bourse, digitally signing the message does not make the content of the message private, because 
anyone with Alice's public key can read a message she encrypted with her private key. Alice can send 
a private, signed message to Bob, however, by first encrypting the message with Bob's public key (so 
only Bob can read it with his private key) and then encrypting the message a second time with her 
private key, forming her signature. Anyone who receives the message can use Alice's public key to 
undo the second encryption, but only Bob (or someone with Bob's private key) can undo the first 
encryption step and actually read the message. All of these complex-sounding manipulations can be 
made quite manageable with well-written software. 

The RSA Implementation of Public Key Encryption and Digital Signatures 

The Arithmetic in the RSA System 

Typical encryption techniques use mathematical operations to transform a message (represented as a 
number or a series of numbers) into a ciphertext. Mathematical operations called one way functions 
are particulariy suited to this task. A one way function is one which is comparatively easy to do in one 
direction but much harder to do in reverse. As a trivial example, it is comparatively easy to square a 
two digit number; with a little concentration, many people can probably multiply 24 by 24 without 
using a pencil and paper. One the other hand, calculating the square root of the number 576 is much 
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harder, even with a pencil and paper. 

The RSA system uses one way functions of a more complex nature. Specifically, the system uses 
modular arithmetic to transform a message (or pieces of the message, one piece at a time) into 
unreadable ciphertext. Modular arithmetic is often called "clock" arithmetic, because addition, 
subtraction, and the like, work like telling time. In a 12-hour system, four hours after 10:00 is not 
14:00 (10 + 4 is not equal to 14); it is 2:00. This is because we subtract out 12 (or any multiples of 
12) after doing the addition. In modular arithmetic notation, the operation might look like this: 

2 = (10+4) mod 12 

2 = 14 mod 12 

One can do multiplication in modular arithmetic much the same way addition is done in the above 
example: 

2 = (7*2) mod 12 
2 = 14 mod 12 

This process is sometimes called modular reduction. By subtracting out the modulus (and all multiples 
of the modulus) a number is "reduced" to a much smaller number. When the number 14 is "reduced" 
to the number 2 in the above example, one can say that "14 is reduced modulo 12." 

tBe RSA system uses multiplication in modular arithmetic. Instead of multiplying one number by a 
dffiferent number (as (7) is multiplied by (2) in the above example). The RSA system multiplies one 
riQmber (called the base) by itself a number of times. The number of times a base is multiplied by 
itielf is called the exponent: 

16 ^ 2*2*2*2 

Inlthis example, the number (2) is the base, dnd is multiplied by itself four times, making the 
0^onent the number (4). 

Ifgthe RSA encryption fomriula, the message (represented by a number M) is multiplied by itself (e) 
times (called "raising (M) to the power (e)"), and the product is then divided by a modulus (n), 
leaving the remainder as a ciphertext (C):I7i 

C - M® mod n 

This is a hard operation to undo -* when (n) is very large (200 digits or so) — even the fastest 
computers using the fastest known methods could not feasibly recover the message (M) simply from 
knowing the ciphertext (C) and the key used to create tne message ((e) and (n)). 

In the decryption operation, a different exponent, (d) is used to convert the ciphertext back into the 
plain text: 

C = mod n 

The modulus (n) is a composite number, constructed by multiplying two prime numbers,[SQ (p) and 
(q), together: 
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The encryption and decryption exponents, (d) and (e), are related to each other and the modulus (n) 
in the following way:I2] 

d = e-i mod ((p-l) (q-l))U.QJ 

To calculate the decryption key, one must know the numbers (p) and (q) (called the factors) used to 
calculate the modulus (n). When (n) is a sufficiently large number, it is infeasible, using known 
algorithms and the fastest computing techniques, to calculate the prime number factors of (n). 

The RSA Algorithm may be divided, then, into three steps: 

(1) key generation: in which the factors of the modulus (n) (the prime numbers (p) and (q)) are 
chosen and multiplied together to form (n), an encryption exponent (e) is chosen, and the decryption 
exponent (d) is calculated using (e), (p), and (q). 

(2) encryption: in which the message (M) is raised to the power (e), and then reduced modulo (n). 

(3) decryption: in which the ciphertext (C) is raised to the power (d), and tiien reduced modulo (n). 

Using the RSA Algorithm for Privacy and Digital Signatures 

When the RSA Algorithm is used in a public key system, the modulus (n) and one of the exponents 
(^(f^itrarily, we can assume (e)) are published. The other exponent (d) is kept secret, as are (p) and 
(ctj5 the factors of (n). Each user holds his or her own keys, and knows the public key of the other 
us^j or users. Alice, for example, knows her own public key {e^^^^ and ngu^.^), her own private key 

(cf^lice)' snd Bob's public key {^^^ and %^^)' Bob knows the converse: his public key (ej^^^ and 

"bcb)' private key (d^j^j,) and Alice's oubtic key {^^i^ce "alice)' 

F<SP Alice to send Bob a private message only Bob can read, she performs the following operation on 
tlw message (M): 

I] C - M^bob n,od n^ob 

Bo|, who is the only one to possess his private key (d^ob)' Performs the following to recover the 
nr^sage (M): 

M = C^b^'^ mod n^ob 
To sign the message, Alice encrypts with her own private key: 

C = M^alice ^od n3,.,3 

Because only Alice possesses only she can create this ciphertext C. Anyone in possession of her 
public key {e^\\^^ and can verify the signature, however: 

M = C""^^ mod n3,i^3 

It bears note that (p) and (q), the factors of (n), are not needed for encryption or decryption; they 
are only used in the key generation step (creating the modulus (n) and the second exponent). In 
addition, while it is important for key generation purposes that the modulus (n) be the product of two 
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prime numbers, the exponentiation and modular arithmetic operation would work just as well with 
prime numbers (which are by definition evenly divisible only by themselves and the number 1). 

The RSA Patent 

Anyone who "makes, uses, offers to sell or sells" a patented invention without the permission of the 
patent owner can be liable for patent infrinqement-fll] The boundaries of the patent are defined in 
the claims portion of the patentUU Accordingly, in order to determine whether a particular product, 
method or process infringes a patent, one must start with the text of the claims themselves. 

There are 40 claims in the RSA Patent, but only ten of them are independent claims.USJ Independent 
claims are claims which do not incorporate other claims by reference. To infringe a dependent claim, 
one must first infringe the independent claim (or claims) incorporated by reference in the dependent 
claim. Conversely, if one does not infringe the independent claim(s) incorporated by the dependent 
claim, by definition one does not infringe the dependent claim. Accordingly, a review of the 
independent claims in the RSA Patent is sufficient for purposes of this discussion. As we will also see, 
a detailed review of the broadest independent claim in the RSA Patent (Claim 23) will lead without 
much further ado to a logical conclusion about the other nine Independent claims, and in turn to a 
conclusion about all the claims in the RSA Patent: that none of these claims are infringed by 
performing a typical digital signature verification. 

The claim with the least number of elements (and thus the broadest claim in the patent) is Claim 23, 
which provides: 

2|. A method for establishing cryptographic communications comprising the step of: 

f ^coding a digital message word signal M to a ciphertext word signal C, where M corresponds to a 
ngmber representative of a message and 

0 <= M <^ n-1 

where n is a composite number of the form 

H n=p*q 

y^ere p and q are prime numbers, and 

Inhere C is a number representative of an encoded form of message word M, 
wherein said encoding step comprises the step of: 

transforming said message word signal M to said ciphertext word signal C whereby 

C [is congruent to] (mod n) 
where e is a nunr.ber relatively prime to (p-l)*(q-l). 

Accordingly, the elements of this claim require an accused infringer to perform the following steps: 

• Establish cryptographic communications; 

• Ensure that the message (M) is greater than or equal to zero and less than or equal to (n-1); 

• Define the modulus (n) by selecting prime numbers (p) and (q) and multiplying them together; 
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• Define the encryption exponent (e) such that it is relatively prinneUSI to (p-l)*(q-l); and 

• Encode message (M) into ciphertext (C) by raising (M) to the power of (e) and 

• then reducing modulo (n). 

Does Claim 23 Cover Signature Verification? 

As noted above, to verify an RSA-generated digital signature, the recipient takes the ciphertext 
transmitted to him and decrypts the ciphertext with the sender's public key. If the message decrypts 
properly, the signature is genuine. Importantly, two of the three fundamental steps in the RSA 
system are not performed in the signature verification step: key generation, where the parameters of 
the modulus (n) and the exponents (e) and (d) are set; and encryption, where the message (M) is 
raised to the power of (e) and then reduced by the modular operation. Only the third, decryption step 
is performed. The keys are generated by the sender (signer) and the encryption step has already 
been completed in the signing step. 

Accordingly, a person who merely verifies an RSA signature arguably does none of the steps 
contained in Claim 23, and certainly does not do them all. Most significantly, the decryption operation 
plainly does not constitute "encoding a digital message word signal" into "ciphertext." The verification 
operation transforms "ciphertext" into a "message word signal," not the reverse. The patent makes 
clear, moreover, what constitutes a "message" and what constitutes "ciphertext," and how "decoding" 
and "encoding" are different.UfiJ These terms are not interchangeable.!!!! 

Tt^RSA signature verification steps of transforming ciphertext C into a message M using the 
d^ciryption exponent (d) ara separately claimed in dependent claim 24: 

24.iThe method according to claim 23 comprising the further step of: 

decipding said ciphertext word signal C to said message word signal M, 

wherein said decoding step comprises the step of: 

transforming said ciphertext word signal C, whereby: 

□ 1^ [is congruent to] C*^ (mod n) 

wfffre d is a multiplicative inverse of e (mod (Icm ((p-1), (q-1)))). 

Because Claim 24 incorporates all of the elements of Claim 23 by reference, one cannot infringe Claim 
24 simply by perfbmning the decryption steps alone. 

Do the Other RSA Patent Independent Qaims Cover Signature Verification? 

The analysis of Claim 23 above should apply with equal force to the other independent claims. Claims 
1, 13, and 18 require key generation, encoding, and de-coding. Claims 3, 8, 25, 2S do not contain the 
decoding step (subsequent dependent claims add that step), but have at least the elements of Claim 
23, plus others. Claims 33 and 37 claim a special case of the use of the RSA method, and thus are 
also more limited than Claim 23. Thus, under this analysis none of the independent claims of the RSA 
Patent (and therefore none of the dependent claims) are infringed by performing a typical digital 
signature verification. 

Does Claim 23 Cover Generation of a Digital Signature? 



It appears that the process of generating an RSA signature also may be done without infringing Claim 
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23. To create an RSA digital signature, the sender encrypts the message M with her private key, and 
transmits it to the receiver. The encoding step is dearly claimed in Claim 23 (and other independent 
claims), and thus the argument stated above regarding verification (decryption) is not available. 
However, Claim 23 also requires key generation, and that step need not be performed by software 
creating a digital signature if the keys are already supplied. (All of the other independent claims 
require the generation of the keys meeting the RSA Algorithm parameters.) 

The step of generating the numbers comprising RSA keys (p, q, n, e and d) can easily be separated 
from the encryption step. The same keys can be used over and over again for multiple signatures; 
indeed, they can be used for as long as one has confidence that the keys have not been compromised. 
Moreover, many RSA-licensed products generate keys which can be separated from the software 
which generated them. Thus, as a practical matter, it should be possible to use keys generated by 
licensed RSA software in order to create digital signatures with other, unlicensed software. 

The owner of the RSA Patent would have difficulty arguing successfully that the encryption operation 
itself is covered by the patent, separate from the generation of the keys. This is because the concept 
of using exponents in modular arithmetic for encryption was invented and disclosed before the RSA 
system was invented. In 1975, two years before the RSA method was invented, Martin Hellman and 
Stephen Pohlig at Stanford University invented the Pohlig-Heilman encryption system,Iiaj which is 
identical to the RSA method, except that the modulus is a prime number, as opposed to the product 
of two primes: 



IComparison of RSA and Pohlig-Heilman 








RSA System 


Pohlig-Heilman 


Encryption Operation 


C = M® mod n 


C = M® mod p 


— ' 1 

Decryption Operation 


M =: C^mod n 


M = C^ mod p 


ft^ilduius 


p * q (prime numbers) 


p (prime number) 


Ericryption exponent (e) 


e relatively prime to 
(p-l)*(q-l) 


e relatively prime to (p-1) 


Qecryption exponent (d) 


d = e'^ mod ((p-l)*(q-l)) 


d = e'^ mod (p-1) 


Tgi exponentiation and modular reduction s 


teps in RSA and Pohlig-Hellrnan will work exactly the 



s^rhe regardless of whether the modulus is a prime number or the product of two primes. Once the 
nKigdulus and the exponents are defined, the mathematical operations for encryption and decryption 
am identical in both the Pohlig-Hellman and RSA systems. A software module written to perform 
Pfblig-Hellman encryption or decryption would work just as well usirig a modulus and exponents 
gf perated with an RSA system. Accordingly, even if the inventors had attempted to ciaim the 
encryption step alone, without regard to key generation, the prior Pohlig-Hellman invention would 
have prevented such a claim from being valid.L12J 

What About Contributory Infringement? 

The discussion above relates to direct infringement of RSA Patent - whether one performs all of the 
steps one of the claims but does not consider all of the possible ways in which one can be liable for 
patent Infringement. Patent law also makes liable someone who "actively induces" infringement of a 
patent, or someone who contributes to the infringement by another if he "offers to sell or sells within 
the United States ... a component of a patented machine, manufacture, combination or composition, 
or a material or apparatus for use in practicing a patented process, constituting a material part of the 
invention, knowing the same to be especially made or especially adapted for use in an infringement of 
such patent, and not a staple article or commodity of commerce suitable for substantial noninfringing 
use . . . ."[2Q1 The owner of the right to enforce the RSA Patent could attempt to attack those who 
sign or verify as contributor/ infringers, and those who develop the software which enables this 
activity as active inducers of infringement. 



The major flaw in such claims is that for there to be either contributory infringement or inducement to 
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infringe, there must be direct infringement.£Zll One who merely verifies an RSA generated signature 
simply has not performed all of the steps claimed in the patent. The missing encryption and key 
generation steps have been performed by another (presumably licensed) user of the technology. 
Similarly, assuming a signer uses a licensed method for generating the keys, or if the signer does not 
herself generate or cause to be generated the RSA keys, there is no direct infringement by using an 
unlicensed method to perform the signing operation.i22J As long as the user only performs the 
signing or verification steps, there is no direct infringement. With no direct infringement, supplying 
the means for signing or verification is not contributory infringement. 

A closer question of contributory infringement would arise if a developer of signing software knew of 
the unlicensed generation of RSA keys and deliberately adapted the software to assist in the use of 
those unlicensed keys In performing signature operations. (This issue is not present for verification; 
by definition, the person who verifies an RSA signature does not generate, or have access to, the 
private keys used for signing.) The RSA Patent rights owner could argue that the signing software was 
"especially adapted" for use in infringing the patent. Then, the argument would run, a user who both 
generated the keys using unlicensed means and the developer^s software for signing directly infringed 
the patent This would supply the missing direct infringement and expose the developer to 
contributory Infringement liability. 

The outcome to this argument would turn in large measure on the nature of the developer's signing 
software. When an article is accused of being "especially adapted" for use in an infringing process or 
method, the article as a whole is considered, not just some particular feature or ingredient. [23] If, 
taken as a whole, the article has substantial, non-infringing uses, the contributory infringement is not 
present, even if in some modes the article can assist In conduct which otherwise infringes the patent. 
IMl For example, software adapted to encrypt a message using Pohlig-Hellman keys, for example, 
wfmld work as easily with RSA Keys. Assuming that Pohlig-Hellman operations were considered 
"sfibstantial," the use of the identical encryption and decryption operations certainly would be non- 
Irfflinging.IlSJ Accordingly, it is quite possible to conceive of software which, while capable of 
pefiforming RSA encryption, would be found as a whole to have substantial non-infringmg uses. If 
software were developed which, taken as a whole, had substantial non-infringing uses, then the 
developer should not be found liable for contributory infringement merely because the keys were 
generated by unlicensed means. 

n A Real World Example — Secure Sockets Client 

0§)p of the most common uses of public key technology Js in the Secure Sockets Layer (SSL) protocol, 
usgd by Netscape Navigator and other web browsers for secure communications over the internet. 
SpS;ure sockets allows the user — typically an individual working from a personal computer at home 
(tailed the client) - to communicate with a web site computer (called the server). The server might 
be4Dperated by a merchant and the user might wish to have the client computer send a credit card 
number to the server to order goods. The secure sockets protocol uses public key techniques to 
encrypt the credit card number so that the number Is not sent in plaintext over the internet. 
According to the analysis set forth in this article, the client should be able to perform all of the RSA 
encryption and verifications steps without infringing the RSA Patent. 

In simplified form, the secure sockets protocol using the RSA method works as follows. [26| After a 
client makes context with the web site server, and a secure session is to be established, the server 
transmits a message the client containing (1) the server's public key; and (2) a digital signature from 
a certificate authority certifying that the public key the server claims as its own is, in fact, its own. 
The client next verifies the server's public key using the signature authority's public key which is 
installed with the browser software on the client's computer.j^Zl In this way, the client can be 
assured that the server is who it claims to be. The client is then ready to send confidential information 
(such as a credit card number) to the server. 

The client will encrypt the credit card number, but will not use RSA or another public key technique to 
actually encrypt the data. RSA is much slower than other conventional encryption methods which use 
the same key to encr/pt and decrypt. While this might not matter if all that is being encrypted is a 
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single credit card number, in practice a secure session with a web browser may involve the 
transmission of thousands of bytes of information. 

To avoid painfully long delays, the client will generate a random number for use as a conventional, 
symmetric key to encrypt the all of the data being sent during the secure session. The client then 
encrypts this key using the server's RSA public key transmitted in the opening message from the 
server. The server receives this encrypted key, and decrypts it using its secret key. Both the client 
and the server are now in possession of a shared, symmetric key which both use to encrypt and 
decrypt all subsequent data being sent during the secure session. 

In this protocol, the client does only two public key steps, and does not perform any key generation 
steps. First, the client verifies the server's public key. To perform the verification step, it uses the 
certificate authority's public key. That key, necessarily generated by the certificate authority, can be 
assumed reasonably to be generated by a licensed entity .1221 The second step - encrypting the 
symmetric encryption key for the session - uses the public key supplied by the server. That key also 
can be presumed to have been generated by a licensed method. Although both decryption 
(verification) and encryption (of the session key) steps are performed by the client, there is every 
reason to believe that the key generation steps are performed by licensed methods. 

Accordingly, because the client softvi'are does not generate any keys, the client does not directly 
infringe the any of the claims of the RSA patent. Although the client does use two public keys (the 
server's and the certificate authority) for encryption and decryption, those keys are almost certainly 
generated licensed means. AccordingJy, the client does not contribute to, or induce the infringement 
of, the RSA Patent. 

[J Some Questions About the Validity of the RSA Patent Ciaims 

THJ analysis in this article thus far has assumed that the broad claims of the RSA Patent, and 
particulariy Claim 23, are valid. While patents are presumed valid, and an infringer has the burden of 
pr.a5/ing invalidity by clear and convincing evidence, some vulnerabilities of the RSA Patent have been 
exposed in the litigation RSA Data has been involved in. Among other weaknesses, the roiiowing 
apjptear: (1) some of the RSA claims may not cover patentable subject matter, (2) the inventors 
appear not to have disclosed in the specification the "best mode" of implementing the invention, as 
r^uired by the patent laws, and (3) a real question exists regarding whether the invention is obvious 
inflight of the Pohlig-Hellman work. Each of these weaknesses will be considered below. 

□ How Can You Patent an Algorithm? 

TKi^e with passing familiarity with patent law may be startled at the assertion that a cryptographic 
algerithm can be claimed in a patent. The United States Supreme Court ruled in 1972 that an 
algorithm, which it defined as a "procedure for solving a given type of mathematical problem," was 
not a "process, machine, manufacture, or composition of matter" within the meaning of section 101 of 
the Patent Act,I291 and thus was not patentable subject matter. r301 Six years later, the Court 
reaffirmed this rule, holding that even if the applicant wanted to limit the claim to use of the 
algorithm in a specific application, it was still not within the allowable subject matter of section 101. 
IIU Cryptographic algorithms would seem to fall squarely within this proscription against patenting 
algorithms. 

In 1981, however, a breakthrough Supreme Court decision paved the way for patent claims 
containing algorithms. The case. Diamond v, De/7r,I321 involved an improved process for making 
rubber. The improvement centered on an algorithm used to treat the rubber at specified 
temperatures. The Court held that when an algorithm is part of an otherwise patentable process 
(which manufacturing rubber certainly was), the presence of the algorithm among the other elements 
of the claim did not push the claim outside the bounds of section 101. 

While the Supreme Court was deciding these cases, a trio of appellate court decisions refined the 
rules regarding when and how an algorithm may be incorporated Into a patent. The three cases. In re 
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Freeman,[2Il In re Walter,l^ and In re Abde,Ut51 establish what the Federal Circuit refers to as 
the Freeman-Walter-Abeie test for patentability when an algorithm is implicated in a patent claim 
The test is stated as follows: 

It is first determined whether a mathematical algorithm is recited directly or indirectly in the claim. If 
so, it is next determined whether the claimed invention as a whole is no more than the algorithm 
itself; that is, whether the claim is directed to a mathematical algorithm that is not applied to or 
limited by physical elements or process steps. Such claims are nonstatutory. However, when the 
mathematical algorithm is applied in one or more steps of an otherwise statutory process claim, or 
one or more elements of an otherwise statutory apparatus claim, the requirements of section 101 are 
met. 

Arrhythmia Research Technology, Inc. v, Corazonix Corp.lMl In other words, the fact that an 
algorithm is one of the elements of a claim of a patent does not make the claim invalid. If the 
algorithm is used as part of a physical process (such as the manufacture of rubber, as in Dehr,) or is 
part of a physical device (such as an electrocardiograph device, as in Arrhythmia), the invention is 
patentable subject matter. 

Many of the existing cryptography patents contain attempts to meet this test by reciting the 
cryptographic algorithm as an element within a physical device. In the RSA Patent, this approach is 
stretched near if not beyond the breaking point. The only elements of the physical device claim which 
are not descriptions of the algorithm are "a communications channel/' "an encoding means," and a 
"decoding means."Xa21The broadest method (or process) claim of the RSA Patent describes using the 
algorithm to "encode" a "message word signal."£iai By using the most generic references to a device 
("encoding means"), and the most generic reference possible to a physical process (encoding a 
"iiriessage word signal"), this type of patent comes as close as possible to claiming the algorithm by 
claiming the use of the algorithm in essentially all possible machines or with all possible processes. 
Ifp|eed, it is difficult to imagine how one could use the algorithm without a physical device which 
could be characterized as an "encoding means," or how one could apply the algorithm in a way which 
dBcl;not "encode" a "signal." 

T|i|ee recent Federal Circuit cases give insight into how the courts might apply the Freeman-Walter- 
Abkle test to a cryptographic algorithm. First, in In re Alappat,USl the Federal Circuit used that test 
tdJnd valid a patent whjch claimed an algorithm for displaying a smooth waveform from digital data. 
"Although many, or arguably even all, of the means elements recited in [the disputed claim] 
represent circuitry elements that perform mathematical calculations, which is essentially true of all 
dfi^^tal electrical circuits," the Federal Circuit noted, the patent was nonetheless proper because 'the 
cl^ed invention as a whole is directed to a combination of interrelated elements which combine to 
fdrin a machine for converting discrete waveform data samples into . . . data to be disolayed on a 
dgs)iay means. "HM Alappat can be read to stand for the proposition that, if the physical machine 
which performs the algorithm is a computer, and If the output from the algorithm is otherwise 
displayed, it may well be that the "physical device," or "physical process" requirements of the 
Freeman-Walter-Abele test are met. 

Another Federal Circuit case. In re Warmerdam,[41] further confirms that court's generous view of 
algorithm-based patents. In Warmerdam, the court found patentable an invention claiming a "bubble 
hierarchy" algorithm used by computer-operated robots to avoid obstructions. Because a claim 
covered a "machine" (the computer and memory controlling the robot) it was patentable, even though 
the novelty of the invention consisted solely of the use of the algorithm.j;42J 

The Federal Circuit has, however, limited the patentability of algorithm claims in at least one recent 
case. In In re Schrader,[^3tl the court found unpatentable a claim to an invention for processing 
auction bids. The court distinguished Abele and Arrhythmia based on the nature of the input to the 
algorithm. In Abele, the input was data from an X-ray CAT scan; in Arrhythmia, the input was data 
from a electrocardiograph. Both sources of input data, the Federal Circuit reasoned, involved "subject 
matter representative of or constituting physical activity or objects "[Ml Bid data from auction 
bidders was mere "data gathering," according to the Schrader court, and thus was materially different 
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from X-ray or heart-rate data. [45] The fact that the patent specification discussed displaying the 
resulting data on display screens did not affect patentability, nor did a claim element for entering the 
bid data in a "record."r461 

One possible way to apply these cases to a cryptographic algorithm patent is to ask this question: is 
the input to a cryptographic system more like the data from auctioneers, or is it more like electro- 
cardiograph, CATrscan, or rubber temperature data? The latter are representations of a physical 
object - a part of the body. Bid data, in contrast, seems much closer to the plaintext message input 
of a cryptographic system. Both are merely abstract messages intended to be communicated from one 
party to another. The bid data algorithm of Schrader simply transformed the message in a way to 
extract certain information to the auctioneer. An encryption algorithm simply transforms the message 
to protect privacy or security. 

If the test is, indeed, whether the input to the algorithm is data descriptive of a physical object 
existing in the real worid (such as a heartbeat or the temperature of rubber) as opposed to an 
abstract message composed by a human being, the validity of a broad cryptography patent such as 
the RSA Patent is subject to genuine question. 

It bears emphasis that the patentability of the claims in the RSA Patent will vary, claim by claim. The 
attorneys who drafted the claims may have anticipated this problem; they added dependent claims 
which recite "register means" for accomplishing the steps claimed in the algorithm.£42J (Other 
dependent and independent claims simply add additional qualifications to the algorithm, and do not 
add any other physical structures to the claims.) The use of the term "register means" appears to 
have been intended to encompass a generic computer system at its most basic level. Under the 
current procedures applied by the Patent Office to patents claiming algorithms, however, one cannot 
traf smute an unpatentable series of algorithm steps into a patentable machine merely by claiming 
tl# algorithm along with a generic computer performing the steps.HSl Thus, the addition of the 
"relister means" elements to the claims did not materially improve their validity, and may in fact 
hdih^e limited the scope of the claims.r421 As written, all of the RSA Patent claims consist solely of 
alg|)rithms combined with the most minimum, generic hardware means possible. A genuine question 
remains whether, in that form, they claim patentable cubject matter. 

It.is true that patents are presumed valid, and that clear and convincing evidenceLSQ] of invalidity is 
recpjired to attack an issued patent. This rule exists largely out of deference to the expertise of the 
Patent and Trademark Office. The question of patentable subject matter, however, has been treated 

I question of law; the courts decide such questions de novo without deference to any 
ati^inistrative body X^U Moreover, the RSA Patent was issued at a time when the iaw on algorithm- 
b^^d claims was unclear Indeed, under the current examination guidelines, it is doubtful whether 
of the RSA Patent claims would be allowed.[521 Accordingly, one could not have confidence in 
eVi^ry case that the examiner was aware of the proper legal standard to be applied. 

Does the Patent Disclose the Best Mode? 

Section 112 of the Patent Act requires an inventor to fulfill certain requirements in making the details 
of the invention known in the specification of the patent. One of these obligations requires the 
inventor to "set forth the best mode contemplated by the inventor of carrying out his invention, "£511 
The best mode requirement "Is intended to ensure that a patent applicant plays 'fair and square' with 
the patent system. It is a requirement that the quid pro quo of the patent grant be satisfied. One 
must not receive the right to exclude others unless at the time of filing he has provided an adequate 
disclosure of the best mode known to him of carrying out his invention."[54] Whether the best mode 
requirement has been met is as a question of fact. f 55] 

It appears that the principal inventor of the RSA Algorithm, Ronald Rivest, believed that certain 
criteria in the selection of the prime numbers ((p) and (q)) were important.IS^ Evidence of his 
subjective belief comes from papers he wrote both before and after he applied for his patent. In 
August, 1977, before he applied for the patent, he wrote: 
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To gain additional protection against sophisticated factoring algorithms, both (p-1) and (q-1) should 
contain large prime factors and gcd(p-l,q-l) should be small.ISZl 

In January, 1978, Dr. Rivest published a paper in response to a proposed attack on his system, in 
which he gave more details about his preferred method of constructing his system.ISfil In this later 
paper. Dr. Rivest noted that the prior paper "makes definite suggestions as to how the prime numbers 
p and q should be chosen," but that "this note should help make those suggestions less 
mysterious."I53J This January paper goes on to give more details about the selection of prime 
numbers, and further provides yet nrore details regarding the selection of the exponent (e) which Dr. 
Rivest preferred for additional security .IfiQ] 

While Dr. Rivest's papers may have discussed his best mode of implementing the invention, the 
patent disclosure does not. The RSA Patent specification does refer to one of these papers - the one 
whose discussion Dr. Rivest later characterized as "mysterious." The best mode requirement cannot 
be met merely by references to other papers, however. The disclosure must be in the specification of 
the patent itself.Ifell Accordingly, there Is good reason to believe the RSA Patent is invalid because 
the inventors did not comply with the best mode requirement 

Was the RSA Algorithm Obvious? 

Section 103 of the Patent Act provides that a patent is invalid "if the differences between the subject 
matter sought to be patented and the prior art are such that the subject matter as a whole would 
hayB been obvious at the time the invention was made to a person having ordinary skill in the art . . . 

Section 102 of the Patent Act defines what is and what is not prior art for the purpose of applying 
the obviousness test of section 103.1fi21 Under section 102(a), prior art includes matters "known or 
used by others in this country, or patented or described In a printed publication in this or a foreign 
ceintry, before the invention thereof by the applicant" (emphasis added), and under section 102(g) 
pHbr art includes prior inventions by another. The Pohlig-Hellman paper£fi21 is likely to be held as 
prior art under sections 102(a) or (g), as a printed publication, as public knowleuge, or as a prior 
invention. 

ihe file wrapper of tne RSA Patent reveals that the inventors of the RSA Patent did not disclose the 
R^rtillg-Hellman paper to the Patent Office and that the examiner did not consider whether the use of a 
non-prime number in lieu of a prime number (the only difference between Pohlig-Hellman and RSA) 

obvious. While the presumption of validity is available even where prior art has not beer 
considered during the prosecution of a patent, that presumption is not as strong where the art was 
rvS submitted to the examiner. There are a number of references in the prior art, moreover, to using 
t|l# problem of factoring composite numbers in cryptography, dating back to the 19th century.£fi41 
Atcordingly, should the RSA Patent ever become subject to further litigation, it may not survive a 
validity challenge based on the Pohllg«Hellman work. 

Conclusion 

Due largely to luck, bluster, and the naivete of potential competitors, the owner of United States 
Patent No. 4,405,829 has enjoyed a virtual monopoly on all uses of the RSA Algorithm. However, a 
careful scrutiny of the RSA Patent claims, and other details of its disclosure and prosecution, reveal 
both significant limits to the scope of the patent and material questions regarding its validity. Whib 
this article is not intended by the authors as legal advice to the reader nor as an invitation or 
encouragement to infringe the RSA Patent or any other patent, those interested in implementing this 
technology should take a close look at the patent -* and obtain the advice of a competent attorney 
familiar with the proposed project - before accepting at face value the oft-repeated notion that "RSA 
is patented." 

Mn Flifin and Mr. Jordan practice with the law firm of Alston & Bird, LLP, located in Atlanta 
Georgia. Mr. Flinn is a member of the California and Georgia Bars, and Mr. Jordan is a member of the 
Georgia Bar and is admitted to practice before the United States Patent & Trademark Office. They 
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have represented clients in litigation against RSA Data Security, Inc., regarding, among other things, 
the validity of the RSA Patent The opinions expressed in this article are personal, however, and do 
not necessarily reflect the opinions of their firm, or any client of their firm. 

This article consists of statements of personal opinion by the authors, and is neither legal advice nor 
an invitiation to any person to practice any invention claimed in any patent Because the specific 
circumstances of any individual or entity will determine the extent of exposure to liability for 
infringing a patent, reliance on this or any other article of general applicability should not be 
substituted for legal advice from an attorney familiar with your particular circumstances. 

Portions of this article were previously published in the March, 1997 and June, 1997 editions of 
Electronic Banking Law and Commerce Report (Glasser Legal Works). 

m Ronald L RIvest, Adi Shamir, Len Adelman, "On Digital Signatures and Public Key Cryptosystems," 
MIT Laboratory for Computer Science Technical Memorandum 82 (April 1977). 

121 The latest version of the PGP program for personal use is PGP for Personal Privacy, Version 5.0, 
which is available in beta form for download at httD://www.DQD.com. and will be in final form in late 
May 1997. This new version offers a choice between the RSA algorithm, on the one hand, and the 
DSS/Diffie-Hellman algorithms, on the other. 

13] For example, Bruce Schneier's otherwise excellent book, APPLIED CRYPTOGRAPHY (2d ed.), John 
Wiley & Sons (1996) at 474, (hereinafter Schneier) contains this overstatement 

III A "key" in these systems is not a physical device, but is a number (akin to a password). The 
encryption key is used as an input to the mathematical formula which transfoims a readable message 
irifi) apparently meaningless gibberish. The decryption key is the number used as an input to the 
fomiula which transforms the apparent gibberish back into the original message- 

£53 Alice does not have to encrypt the whole message just to sign it. In feet, because such large 
nimibers are used in real-worid implementations of this technology, the encryption operation can be 
qyite slow. Instead, Alice can use something called a "hashing algorithm" to transform a message of 
any size in to a string of numbers of a fixed (and usually smaller) size. If the hashing algorithm is 
d§«igned properiy (and there are a number in current use), different messages should not produce 
the same hash. Accordingly, the hash acts as a digital "fingerprint" of the message. Alice can then 
eficrypt the hash, not the message itself, with her private key. To verify the signature, Bob simply re- 
hashes the message using the same hashing algorithm Alice used, and then decrypts Alice's hash with 
hp^ public key. If the hashes match, the message is authentic and has not been altered in transit. 

Ig] Bob should have some way of being confident that the number he thinks is Alice's public key is, in 
fact, her public key. There are a number of alternative proposals and methods for allowing for the 
verification of public keys, and the debate over them is lively, but the details the competing systems 
are beyond the scope of this discussion. 

[21 Substituting numbers for variables, a modular arithmetic operation looks like this: 1 = 2^ mod 5 
The base (2) multiplied by itself four times (the exponent (4) is equal to 16 (2*2*2^^2=16) 

1 = 16 mod 5 

When there are 3 five's in 16 (3 times 5 Is 15) and a remainder of 1. 

lai A prime number is one which is divisible only by itself and the number 1. The numbers 17 and 31 
are prime, for example, but 15 (divisible by 1, 3, 5 and 15) and 21 (divisible by 1, 3, 7 and 21) are 
not. 



£21 The number representing the message (M) should be less than the modulus (n) if decryption is to 
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succeed. In addition, the multiplicative inverse (d) only exists if (e) is relatively prime to (has no 
prime number factors in common with) the number (p-l)*(q-l). 

[101 The patent defines (d) and (e) as multiplicative inverses modulo the "least common multiple" (or 
"Icm") of (p-1) and (q-l), a value which divides the value (p-l)*(q-l) used here, resulting in 
additional possible values for d beyond the simplified version given here. This detail is not important 
to the discussion in this article, however. 

liU 35 U.S.C. section 271(a). 

LlHE.g., Texas Instruments, Inc. v. U.S. Int'l Trade Commission, 805 F.2d 1558, 1562 (Fed. Cir. 
1986), reafTd, reh'g denied, 846 F.2d 1369 (1988) . 

U21 The independent claims are: 1, 3, 8, 13, 18, 23, 25, 29, 33, and 37. 

1141 In patent law, as In horseshoes and hand grenades, "almost" counts. One can be liable for patent 
infringement even if one does not literally Infringe all of the elements of a claim. Under a theory 
called the "doctrine of equivalents," recently upheld by the U.S. Supreme Court, Infringement can be 
found as long as the defendant infringes a "substantial equivalent" of an element of a claim not 

literally infringed. Warner Jenicinson Co. v. Hilton Davis Chemical Co., 520 U.S. , 117 S.Ct. 1352 

(March 31, 1997). 

1X5] A number is "relatively prime" to another number if the two numbers have no factors in common 
except for the number 1. For example, the numbers 8 and 21 are not prime numbers (each has a 
f^itor other than itself and 1) but 8 and 21 are relatively prime to one another because the only 
cdmmon factor they have is the number 1 (the factors of 8 are 1, ?., 4, and 8; the factors of 21 are 1, 
3^:^ and 21). 

As these terms are used in the RSA Patent the "message" is "encoded" into "ciphertext" and 
"ctiihertext" is sent from the first party to the second. See RSA Patent at Col. 1, Une 56- Col.2, Une 
W The recipient receives "ciphertext" and "decodes" the "ciphertext" into the "original message." Id. 
This, a person wishing the verify a digital signature must have received "ciphertext," and thus must 
"decode" it, because the "message" is not transmitted through the communications "channel." Id. 

[if] Other components in the algorithm probably are interchangeable. For example, the encryption 
eiqlonent (e) and the decryption exponent (d) each meet the definition of the other. The fact that Ihe 
e:^nent (d) is the multiplicative inverse of the exponent (e) mod (p-l)*(q-l) proves the converse, 
tifit (e) is the multiplicative inverse of (d), and that (e) and (d) are both relatively prime to (p-l)*(q- 

m 

[18] See Stephen C. Pohlig and Martin E. Hellman, "An Improved Algorithm for Computing Logarithms 
over GF(p) and its Cryptographic Significance," IEEE TRANSACTIONS ON INFORMATION THEORY (Jan. 
1978) (article submitted on June 17, 1976). 

IlSl The application fbr a patent on the Pohlig-Hellman system was pending during the period the 
RSA patent was being prosecuted, and the Patent Office declared an "interference" in which both sides 
were allowed to compete for a claim which would have covered the generic process of encryption and 
decryption using exponentiation and modular arithmetic. Stanford University and MIT abandoned the 
Interference in the eariy 1980's, however, so neither side was awarded this generic claim. 

[201 35 U.S.C. section 271(c). 

1211 E.g., Joy Technologies, Inc. v. Flakt, Inc., 6 F.3d 770, 774 (Fed. Cir. 1993); Met-Coil Systems 
Corp. V. Komers Unlimited^ Inc., 803 F.2d 684, 687 (Fed. Cir. 1986). Inducing infringement also 
requires an intent element not present in a claim for contributory infringement. Hewlett Padcard Co. 
V. Bausch & Lomb, Inc., 909 F.2d 1464, 1468 (Fed. Cir. 1990). 
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1221 One cannot contribute to the infringement if the "direct" infringer is licensed, expressly or 
impliedly. See, e.g.. Universal Electronics, Inc. v. Zenith Electronics Corp., 846 F. Supp. 641 (N D 
III.) (no contributory infringement or inducement to infringe by manufacturer of "universal" remote 
control for television where the purchaser of the replacement remote has an implied license to 
practice the invention arising out of purchase of the original television-remote combination) affd w/o 
op., 41 F,3d 1520 (Fed. C/r. 1994). 

^■7^;?k'oof'^°^^ ^'^^ ^'^^ ^^^5' ^^^^ 1587), cert, denied, 485 U.S. 

1007 (1988}. 

1241 See C.R. Bard, Inc. v. Advanced Cardiovascular Sys., Inc., 911 F.2d 670, 674 (Fed. Cir 1990V 
Universal Electronics, 846 F. Supp. at 651. ^ ■ /. 

1251 Other non-RSA public key variants, such as Diffie-Hellman and El-Gamal, all use exponentiation 
and modular reduction. See, e.g., Schneier at 476-478j 513-516. While Pohlig-Hellman is the closest 
system to RSA, it is certainly true that the mathematical steps involved in RSA encryption and 
decryption are the same steps used in many other non-infringing cryptographic systems. 

£251 The details of the SSL protocol may be found at httD://home. netscaDe.com/enQ/gs|-^/«;gU 
tQcntml- 

£221 Netscape Navigator, for example, installs a file names "cert.db" with the other program files. 

iMl Indeed, RSA Data itself operates a certificate authority business, and RSA certificate keys are 
supplied with the Netscape Navigator Browser. 

£^ The basic patent statute, 35 U.S.C. section 101, provides, "[w]hoever invents or discovers any 
new and useful process, machine, manufacture, or composition of matter, or any new and useful 
irnprovement thereof, may obtain a patent therefor . . . 

1331 Gcttschalk v. Benson, 409 U.S. 63, 65 (1972). 

liil Parker v. Hook, 437 U.S. 584, 586 (1978). 

I2Z1 450 U.S. 175 (1981). 

1321 573 F.2d 1237 (C.C.P.A. 1978). 

1341 618 F,2d 758 (C.C.P.A. 1980). 

X351 684 F.2d 902 (C.C.P.A. 1982). 

£361 958 F.2d 1053, 1058 (Fed. CIr. 1992). 

£321 RSA Patent at Col. 14, Une 38 - Col. 15, Line 5. 

£381 Id. at Col. 25, Unes 47-67. 

£321 33 F.3d 1526 (Fed. CIr. 1994). 

£401 Id. at 1544. 

£111 33 F.3d 1354 (Fed. Cir. 1994). 
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£421 Id. at 1360-1. 

im 22 F.3d 290 (Fed. Cir. 1994). 

1441 Id. at 294 (emphasis in original). In Warmerdam (subsequent to Schrader). the input data was 
information about the physical objects the robot might encounter, and thus would also satisfy the 
"physical activity or object" test. 

1451 In re Schrader, 22 F.3d. at 294. 
[46] Id. at 293-94. 

X421 See RSA Patent claims 2, 4, 9, 14, 19, and 34. 

[49] The United States Patent & Trademark Office will consider claims reciting generic computer 
hardware as process claims which themselves must be independently patentable. See United States 
Patent & Trademark Office, Examination Guidelines for Computer-Related Inventions, 61 Fed. Reg. 
7478 (1996) (hereinafter, "Guidelines"). These Guidelines have been called "persuasive authority" by 
the Federal Circuit. In re Trovato, 60 F.3d 807 (Fed. CIr. 1995). 

B21 These claims are stated in so-called "means-plus-function" terms, which is permissible under the 
last paragraph of 35 U.S.C. section 112. When claims are written in these terms, however, they are 
limited to covering "the corresponding structure . . . described In the specification and equivalents 
thireof." We have not analyzed whether the specific computational hardware disclosed in the 
specification of the patent differs in any material way from the processors used in modem computers, 
af^i it may well be that these claims are limited to 1977 era computational equipment. This article 
aiiSumes, however, that a modern computer CPU would be considered at least the "equivalent" to the 
"fe^ister means" claimed in these dependent claims. 

ISdlThis may be contrasted with the "preponderance-of-evidence" standard typical in other civil 
nitration. 

liJj In re Donaldson Co., 16 F.3d 1189, 1192 (Fed. CIr. 1994). 
£||l See generally Guidelines, supra note 45. 
llil 35 U.S.C. section 112. 

IS^Amgen, Inc. v. Chugal Pharmaceutical Co., 927 F.2d 1200, 1209-10 (Fed. Cir.), cert, denied, 502 
U.S. 856 (1991). 

£551>4/77gen, 927 F.2d at 1209; Engel Industries, Inc. v. Lockformer Co., 946 F.2d 1528, 1531 (Fed. 
Cir. 1991). 

I5&] Ironically, it turns out that Dr. Rivest was wrong in his belief that these (and other) limitations 
on the selections of (p) and (q) made a significant difference in the security of the system. 
Subsequent research showed that, even with careful selection of (p) and (q), one could not avoid the 
sort of weakness in the modulus Dr. Rivest was hoping to avoid. See Alfred J. Menezes, Paul C. van 
Oorschot, Scott A. Vanstone, HANDBOOK OF APPLIED CRYPTOGRAPHY, section 3.2.4, p. 94 (CRC 
Press 1997). Users were told that a "careful" selection of primes allowed a given level of security to be 
achieved with a smaller modulus than would otherwise be required. In fact, this is an unsafe 
improvement, and the larger modulus is needed to achieve that level of security. Any impact of this 
fact on the validity of the patent is beyond the scope of this article. 



IS21 Ronald L. Rivest, Adi Shamir, l^n Adelman, "A Method for Obtaining Digital Signatures and Public 
http://www.cyberiaw.com/rsa.html 8/29/2000 
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Key Cryptosystems," MIT LABORATORY FOR COMPUTER SCIENCE TECHNICAL MEMORANDUM 82 
(Revised August 1977) at 10. 

[SSJ Ronald L. RIvest, "Remarks on a Proposed Cryptanalytlc Attack on the M.I.T. Public-Key 
Cryptosystem," CRYPTOLOGIA (January 1978). 

X52J Id. at 2. 

IfiQJ Id. at 4-5. 

XfiU See Dana Corp. V. IPC Umited Partnership, 860 F.2d 415, 418-419 (Fed. Cir. 1988), cert, 
denied, 490 U.S. 1067 (1989); Advanced Semiconductor Materials America, Inc. v. Applied Materials, 
Inc. 1994 W.L. 715634 (N.D. Gal. Dec. 16, 1994) (denying motion for summary judgment on best 
mode defense, ruling that the PTC Manual of Patent Examining Procedure, which specifically disallows 
incorporation by reference to "non patent publications" to comply with the best mode requirement, 
established the legal rule for incorporation by reference). 

ISZX Graham v. John Deere Co., 383 U.S. 1, 14-15 (1966). 

f63] See note 18 above. 

[643 In 1870, a book by William S. Jevons described the relationship of one-way functions to 
cryptography and went on to discuss specifically the factorization problem used to create the "trap- 
door" in the RSA system. In July, 1996, one observer commented on the Jevons book in this way: 

lit his book The Principles of Science: A Treatise on Logic and Scientific Method, written and published 
^the 1890's, William S. Jevons observed that there are many situations where the 'direct* operation 
fefirelativeiy easy, but the 'inverse' operation is significantly more difficult. One example mentioned 
biiefly is that enciphering (encryption) is easy while deciphering (decryption) is not. In the same 
s|ction of Chapta- 7: Introduction titled 'Induction an Inverse Operation', much more attention is 
dfivoted to the prindple that multiplication of integers Is easy, but finding the (prime) factors of the 
product is much harder. Thus, Jevons anticipated a key feature of the RSA Algorithm for public key 
i^ptography, though he certainly did not invent the concept of public key cryptography. 

^lomon W. Golomb, On Factoring Jevons' Number, CRYPTOLOGIA 243 (July 1996) (emphasis added). 
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component being purchased is the software pnxSucer 
HYBRID ENC RYPT ION METHOD AND SYSTEM and not some other third party. There is also a critical 
FOR PROTECTING REUSABLE SOFTWARE need to provide the reuser with an assurance that a 

COMPONENTS software component has not been corrupted or modi- 



BACKGROUND OF THE INVENTION 



fied. 

SUMMARY OF THE INVENTION 



L Field of the Invention 

The present invention relates to a system and method Th« present invention it directed to a method and 

for protecting reusable software components. La partic- apparatus that satisfies these needs. It is an object of the 

ular the present invention encrypts software cooipo* invention to provide an integrity mechanism that pro* 

nents in a reusable software component library to pro- vides an indication that a software component has been 

tect against unauthorized modification and to assure modified. 

authenticity of software components when the software It is an object of the invention to quickly provide an 
components are decrypted by a reuser. integrity mechanism that provides an indication that a 
2. Descriptioa of the Prior Art software component has been modified. It is a still a 
The ability to produce ever larger software systems further object to prevent third parties from moc^fying 
while improving theft quality and reducing theft devd- software components in a reuse library. It is an object of 
opment time crucially depends upon a capability to the invention to provide an authentication mechanism 
"reuse" previously developed software components in that provides reusers with assurance that the software 
new systems. There is an emerging electronic market- ^ component is tiie authentic product of its stated pub- 
place that will enable potential reuseis to browse librar- lisher. It is yet another object of the invention to pre* 
ies of software components, select suitable ones, and vent third partin from pasung off their software oom- 
obtain them for reuse. Rudiments of such a marketplace ponents as that of another. It is still another object of the 
already exist in operational software reuse libraries. invention to provided for the authenticity of a software 
Such Ul)raries, thou^ are vulnerable to the unautho- 23 componCTt and an indication of whether the software 
riied modification of existing code or to unscrupuloiis component has been modified, 
parties who might miMcprcsent the origin of code Accordmgly, the present invention provides a system 
which tiiey place mto the hT)rary. and method for providmg a reuser with an indication of 
A reuse hbrary must provide pr^ agamst the „^ ^ component from a reuse 
unauthonz^ modification of sofhvare components m 30 ,^ ^^^^^^ ^ ^ ^^^^ 

^ u "2^!^ comiment has been modified. The present mvention 

Widiout such pnrt^on pubhsbers woj^^ co^ris« a method for reusing softCme components 

to pkcetherr software m a reuse hbrary and reusers ^i^t^^nLuns theinteg^ 

would be reluctant to use software components from ™^ mmmauo luc "ir*]^/~7^^ 

the reuse Ubrary. Without such protectioa«rftware 35 ^ components. TTie mc±<^comprB«^ 

components are subject to modification for purposes of software component recwd by cncryptmg a 

maliS sabotage, espionage or others. Modifciti^by rcP««tation of a software com^nent hoo a cn- 

an imiocent ^ pity can also cause problems due to software c^nent wrth a fot ^VPtogtapluc 

incompetence, caiScssness. a lack of c^line or mis- ^onOim usmg first key; hashmg die au:r^^ 

understanding. The abihty of a tiurd party to modify a 40 ya^^^ 

software component without detection cannot be tdcr- mg the first hash digestand the first key u^ 

ated ffl the reuse marketplace. cryptographic algorithm with a second key, wherem 

The autiientication problem arises where an unscra- «d second cryptographic algorithm is of a public key 

pulous party seeks to pass off (or pahn off) their soft- type and said second key is the private key associated 

ware components as that of another publisher thereby 45 ^th at least one publw key, said software cOTqxment 

preying on the reputation and goodwiU of other pob- reconl consisting ofthe encrypted software componoit. 

lishers. This is of particular in^ortance in the reuse ^ encrypted hash digest, and the encr ypted first key. 

marketplace because reusers can often only rely on the The software component record is thenstored m a reuse 

reputations and software development processes used library. The software component can men be retrieved 

by software publishers. 50 from the reuse Kbiary. The plaintext representation of 

Many agencies today are actively involved in devd- the software component is then generated by obtainmg 

oping and evolving their software development pro- a public key associated with the second key from a 

cesses. Independent organirations such as the Software Public key directory; decrypting the encrypted hash 

Engineering Institute {SET) evaluate these processes digest and the encrypted first key into the decrypted 

and rate tiiem according to an established set of criteria, 55 first key and the decrypted first hash digest usmg the 

Reusers can rely on these evaluations in making their public key and the second cryptographic algorithm; 

reuse selections. hashing the encrypted software conqwnent to generate 

There are also legal considerations to be considered a second hash digest; comparing the second hash digest 

such as who is representing that they created the soft- with the decrypted first hash digest, and if not i de nti c al 

ware. Under current copyright law the innocent in- 60 indicating that the software component is corrupted, if 

fringer loses against the true owner of the copyri^ited identical indicating that the software is not corrupted; 

work. The reuser needs some assurance that pubU^er decrypting the encrypted software component into the 

has the right to permit the reuser to make use of the plaintext representation using the decrypted first key 

software component Without such assurances the and the first encryption algoritiun. 

reuser risks any gains by reuse in a subsequent legal 65 The present invention comprises a network of com- 

battle. puter systems comprising a reuse library, a directory, at 

There is a critical need to provide a reuser with an least one publisher's woricstation and at least one reu- 
assurance that the identity of the producer of software ser^s workstation. The reuse library havmg a plurality 
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of encrypted software components each software com- FIG. 7 depicts the steps required to generate a plain- 

ponent record having an encrypted software compo- text representation of a software component from a 

nent, an encrypted hash digest, and an encrypted first software component record, 

key; the reuse library also having a storage means for FIG. S depicts one embodiment of a computer system 

storing encrypted software components and a retrieval 5 for generating a software component record, 

means for retrievtng encrypted software components. FIG. 9 depicts one embodiment of a computer system 

The directory containing a list of publishers and an for generating a software component from a software 

associated list of public keys. A publisher's woricstation component record. 

coupled to the reuse library, having an first encrypting ^^G. 10 depicts one embodiment of a computer sys- 

means for encrypting a plaintext representation of a ^ tem for the reuse library. 

software component into a encrypted software compo- DETAILED DESCRIPTION OF THE 

nent with a first cryptographic algorithm osing first INVENTION 

key; an hashing means for hashing the encrypted soft- rT^rvrr^ 

ware component to generate a first hash digest; a sec- J- ^^^^fJ^J?^^ 

ond encrvDtine means for encrypting the first hash OVERVIEW 

SsrSTtte folTy u«Bg .^d cryptographic m._^^TOGRAFmC ALCSORTTHMS & FUNC- 

algorithm with a second key, wherein said second cryp- P owrview 

tographic algorithm is of a publk: key algorithm type J- ^^^^ KEY and CONVENTIONAL CRYP- 

and said second key is the pubbshcr's pnvate key associ- togi^lP 

atedwithapublisher'spublkkey,said«)ft>^^ C. KCAMPLE CRYFIXXjRAPHIC ALGO- 

nent record consistmg of the encrypted software com- RmaJs v.iw*irivAjxu^xiiw txxjs^ 

ponent, the encrypted hash digest, and the encrypted Conventional Algorithms 

fint key; a communications means for sradiog the soft- ^ ^ - Algahhms 

ware component record to the reuse library for storage ^ HASHING 

by the storage means. A reuser workstatkm coupled to jy pxjBLISHING 

the reuse library, said reuser workstation having a re- ^ DESCRIPTION 

questing means for sending a request to the reuse library ^ ' £]^{S0DIMENTS 

for a desired encrypted software component, wherein y ^usjNG 

said request causes the retrieval means of the reuse ^ DESCRIPTION 

library to retrieve the desired software component and BROWSING MEANS 

send it to the requesting woricstation; a means for ob- q EMBODIMENTS 

taining the public key from the directory, said public yi REUSE LIBRARY 

key associatisd with the second key of the desired en- ^ DESCRIPTION 

crypted software component; a first decrypting means 35 g EMBODIMENTS 

for decrypting the encrypted hash digest and the en- yjj^ DIRECTDRY 

crypted first key into the decrypted first key and the yilL ADVANTAGES AND CLOSING 

decrypted first hash digest using the public key and the 

second cryptographic algorithm; an hashing means for L DEFINTIIONS 

hashing the encrypted software component to generate 40 , a. ••SOFTWARE COMPONENT' is a set of state- 

a second hash digest; a comparing means for comparing ments or instntctions to be used directly or indirectly in 

the second hash digest with the decrypted first hash ^ computer in orda to bring about a certain result 

digest, and if not identical indicating that the software Thus, a software component can consist of a complete 

component is corrupted, if identical hidicating that the software application, a set of related applications, a 

software is not corrupted; a second decrypting means 45 module, a single proccdore or program, a set of proce- 

for decrypting the encrypted software component into dures or programs, a software package or a set of soft- 

the plaintext representation using the decrypted first ^^re p^cV*ge^ It is preferable for reuse software com- 

key and the first encryption algorithm. ponents to be provided in source code in human read- 

BRIEF DESCRIPTION OF THE DRAWINGS format. 

The foregoing and other objects, aspects and advan- ^ OVERVIEW 

tages of the invention will Inc better understood from FIG. 1 shows the major elements of the present in- 

the following detailed description with reference to the vention a publisher 101, a reuse library 103, a directory 

drawings, in which: 105 and a reuser 107. The reuse library 103 can contain 

FIG, 1 shows a functional overview of the present S5 many software components. The software components 

invention. axe created by software providen. These software pro- 

FIG. 2 shows a functional overview of the present viders, called publishers herein, are responsive for the 

invention depicting multiple publishers and multiple creation ofsoftware components. The act of placing the 

reusers. software component into the reuse library is referred 

FIG. 3 depicts generating various components of a 60 herem as publishing the software oompcment Once 

software component record. placed in the reuse library by a puUisher, the software 

FIG. 4 depicts a representation of a software compo- component becomes avaOable for reuse by other enti- 

nent record. ties. These other entities may consist of individuals, 

FIG. 5 depicts the steps required to generate various corporations, associations, government branches agen- 

compbnents of a software component record. 65 des or departments. The reuser 107 must decide 

FIG. 6 depicts generation of the plaintext representa- whether a software component placed in the reuse li- 

tion of a software component from a software compo- brary is suitable for an application or software require- 

nent record. ment that they may have. The reuser can browse soft- 
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ware components in the reuse library wliile determining 
whether any software components suit the reuser's par- 
ticular requirements. By making use of software compo* 
nents in the reuse hl)rary the reuser can reduce tiieir 
software development costs. The act or process 5 
wherry a reoser selects a software component for use 
m an application or software effort b herein referred to 
as reusing. Reusmg includes browsing of software com- 
ponents in the reuse library. 

Although FIG. 1 shows only one publisher 101 and 10 
one reuser 107 the present invention contemplates many 
publishers and many reusers. In fact publishers may also 
be reusers and reusers may also be publishers. Miiltq}le 
publishers and multiple reusers are shown in FIG. 1 
The reuse library 103 may also consists of multiple 15 
libraries where each library is orientated towards par- 
ticular classes of reusers. For instance, based on lan- 
guage type (e.g., C or Ada) or based on the type of 
application (e.g., real time systems or embedded sys- 
tems) or by application or function (e.g., accounting, 20 
navigation, air traffic control, word proceasmg, etc.). 
Thus, a multitude of reuse hlvraries axe contemplated by 
the present invention. The reuse library may also per- 
form certain classifying or cataloging functions so that a 
software conqwnent is indcxftl properly or more easOy 25 
located by a potential user. 

When the publisher 101 dcddea that a particular 
software component is ready for the reuse library 109 
several steps must be taken so that an eventual reuser is 
assured that it is the particular publisher's software 30 
component and not an impostor's and that the software 
component has not been modified. The software com- 
ponent as developed by die publisher typically consists 
of a plaintext representation. This is typically an ASCII 
or ^CDIC encoded representation. An operator can 35 
thus view the software component on a display screen 
or print the software component on a printer. The plain- 
text representation is the unencrypted format Before 
transmitting or sending the software component to the 
reuse library the software component is encrypted using 40 
the hybrid encryption technique of the present inven- 
tion. Two cryptographic algorithms are used to encrypt 
the software component a conventional key algoritlim 
and a public key algoritfam. The encrypted software 
component is then sent to the reuse Ubrmry for storage 43 
and eventual retrieval by a reuser. The encrypting or 
enciphering method assures that any reuser of the soft- 
ware component is provided with notice that the soft- 
ware component has been modified or that the software 
component is not authentic that the publisher asso- 50 
ciated with the software component in the reuse library 
is not in fact the actual publisher). The pd>lisher en- 
crypts the software component uang the hybrid tech- 
nique using the publisher's private cryptographic key. 
Only the publisher knows the private key. This key 55 
must be safeguarded by the publisher if they are to 
assure the integrity of their software components. In 
order for the encrypted software coo^nent to be de- 
crypted the reuser must use the publisher's public key. 
The public key is associated with the publishers private 60 
key, but canix>t be used to derive the private key. 

In order for the reuser to make of use of an encrypted 
software component the reuser must decrypt the en- 
crypted software component from its encrypted, into its 
plaintext represenUtioiL The present invention requires 65 
that the reuser have the publishen public key in order 
to obtain the plaintext representation of the software 
component. The reuser obtains the publishers public 
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key from the directory publisher's public keys. The 
public key may be made available in a separate note- 
book, a traditional book, a separate file server, or as part 
of the reuse library. The directory 105 may also be 
provided on a trusted platform connected to the reuser 
by a trusted path to assure that oxdy authorized reusers 
are provided with access to the reuse library. With the 
pubUc key the reuser is able to obtain the plaintext rep- 
resentation of the software component 

in CRYPTOGRAPHIC ALGORITHMS Sc 
FUNCTIONS 

A. OVERVIEW 

Cryptography is the transformation of intelligible 
information into apparently unintelligible form in order 
to conceal the information from unauthorized parties. 
Cryptography is a known practical method to protect 
information transmitted electronically through commu* 
nications network and as will be shown with the present 
invention can be an economical way to protect stored 
data. The cryptographic transformation of data is de- 
fined by a cryptographic algorithm of procedure 
under the control of a vahie called a cryptographic key. 
See text ^'Cryptography and Data Security^** by Den- 
ning, Addison-Wesley Publishing Company (1982). 

Cryptographic methods can be used to protect not 
only the confidentiality of data, but the integrity of data 
as welL Data confidentiality is the protection of infor- 
matioa firom unauthorized disclosure. Data hitegrity is 
the protection of information from unantfaorized modi- 
fication. 

There are two basic elements associated with any 
cryptographic system. These dements are a set of un- 
changing rules or steps called a cryptographic algo- 
rithm and a set of variable cryptographic keys. Hie 
algorithm is composed of encrypting and decrypting 
procedures which usually are identical or simply consist 
of the same steps performed in reverse order, but which 
can be dis»milar. The keys selected by the user consist 
of a sequence of numbers or characters. An encryption 
key (Ke) is used encrypt plaintext X into dphertext Y as 
shown below 

and a decryption key (Kd) b used to decryption cipher- 
text Y into plaintext X as shown below. 

B. PUBUC KEY and CONVENTIONAL 
CRYPTOGRAPHIC SYSTEMS 

There are two basic types of Cryptogr^hic algo- 
rithms: conventional and public key (also referred to as 
symmetric and asymmetric), ^th a conventional algo- 
rithm the encryption and decryption keys may either be 
easily computed from each other or the keys may be 
identical (Ke^Kd^K). In a public key algorithm, one 
key (usually the encryption key) is made public and a 
different key (usually the decryption key) is kept pri- 
vate. As will be discussed in de^ below the present 
invention utilizes the private key to encrypt and the 
public key to decrypt With a public key system it must 
not be possible to deduce the private key ftom the pub- 
lic key. When an algorithm is made public, for example 
with a published encryption standard, cryptographic 
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security completely depends on protecting these cryp- ^ . * ^ ^r^^^^ . ^^^^ . 

tographic keys. k e C. EXAMPLE CRYPTOGRAPHIC ALGORITHMS 

To keep information secret, and to achieve privacy, a L Conventional Algorithms 
rcv^ble algorithm most be used Tliis allows for re- Encryption Standard (DES) 
versing the encryption process to recover the software 5 ™ >f ouma™v*-'"^ 
component or data item. However, encryption alone is Encryption Standard (DES) is described in 
insufncicnt to assure that mfonnation is not altered Federal Information Processing Standard Publication 
during storage. This is most evident when encryption (P^S PUB) 46 and available from the National Tcchni- 
with a public key algorithm is used. With a public key Information Service. 5285 Port Royal Road, Spring- 
system as used with the present invention, any one can 10 field, Va- 22161. DES hardware is available from Tech- 
decrypt iising the public decryption key, unlike public Communications Corp. 
key systems where the public key is the encryption key Skipjack 
and the private key is the decryption key and any sys> 

tern user or node can masquerade as any other system Skipjack is a symmetric key algorithm viewed as a 

user or node. 1^ possible replacement to DES. Cs^>stone is a data secu- 

In contrast to the conventional cryptographic algo- *^^P ^^^^ ^ skipjack algorithm, secure 

rithms a public key method uses two different keys to algoridmi and the key exchange algorithm, {need 

encrypt and decrypt a message. Successful methods are * reference} 

designed so that neither key may be inferred from die 2, Public Key Algorithms 

other. When used for anthentication* the sender en- ^ , , . ^ . . . , — 

crypts messages using the encryption key which is held ^^"^ ^U^^^^ '^'^^ " * ^ 5^ ^• 

insecrecy.TTiedecryptionkeyismadepubHclyknown. ^ «^ M. E. Hdlman cntiUed -Pnvacy ai^ 

Any receiver can decrypt the message usmg the pab- thendcation: An Introduction to Cryptogxaphyr Pio- 

Udy known key and be confid^TtSt the data is not „ "^^^^ ^ ^^L^' ^' PP 

forged or altered because only the presumed sender 397^27 hereby mcorporated by itfc^ 

knows the corresponding encryption key. ^^^1^^^^^.^!^ "^'^ 

In general it is preferable for^rfoi^ce reasons to f*** ^i^^*!^*^ 

use c^ventional algorithms such« DES for bulk data ^^^^f"^^"^ }^\^^ 

encryption rather t£^to use a pubhc key algorithm. ^ ^S^SS^ 

The Digital Signature Algorithm (DSA) -Wies" ^ ^ ^^od hereby mcoiporatcd by reference. 

the item to be authenticated so that a smaller *1bash Digital Signature Standard (DSS) 

S^^tC^'^J^'^K'^^"^^ TTieNatiomdInstituteofSumdardsaadTechnology 
p^te? along with an «cryptod version of the hash ^ proposed a method for generating control sigiu- 
digesL 'lue receiver authenticates by hashing the re- 35 tm« a loa?^ 

cdved plaintext to regenerate the ha^ digesL decrypts S^- ^ rtl ^7* ^g™** 

v" u Pubhc Key Cryptosystem and a Signatnre Scheme 

the transmitted hash digest and compares the two di- ^„ IMsa^ lx>Uithms.- TE^Tr^^ons oa 

geste for eq«JUj^. Information Theory, 31, 1985, pp. 4^72, hereby in- 

This method has soi^ w^^esses when apphed to oorporated by reference. The DSS proposes use of the 
software components. First, because the component is 40 Digital Signature Algorithm pSA) togwirantee au- 
avaflablc m plamtext^ it is tempting for potential reusers thenticity and integrity of data tnmsactiom. 
to forget about authenticating the component and to 

simply use the plaintext as is. One could remedy this Rivest-Shamir-Aldeman (RSA) 

defect by encrypting the entire component The prob- The RSA public key algorithm is described in U.S. 

lem with this approach is that public key cryptographic 43 4,405,829 to Rivcst ct at "Cryptographic 

schemes are very slow m operation (as compared to Communications System and Method" herein incorpo- 

pnvate k^ scbemts); they may be impracticaUy slow xated by reference discloses die RSA public key algo- 

when applied to objects as large as sofbvare oompo- rithm. 

nents with their related documentation. 

The soluti<ui to this problem b to use a hybrid en- so ^- HASHING 

cryption scheme of the present invention. With this a one-way function is a ftmcticm which is easy to 
approach, the software component is encrypted nshig a compute in the forward dkection, but hard to compute 
private-key method, like DES. The DES key could be in the reverse direction. That is, if Y«f(X) b a one-way 
generated in an arbitrary fiuhion for each usage so that, ftmction then given any X it b easy to compute the 
in practical terms, every usage is umque. The key that 55 corresponding Y, taking typically a fraction of a second 
was used for a software component is included with the on a small computer. But given any Y it b extremely 
encrypted software component. The encrypted soft- difficult to find the corresponding X, ideally taWng 
ware component is hashed to generate a digest The milUons of years on the most powerful computer imag- 
digest and die DES key are then encrypted using the mable. A one-way function can be expansionary G-t, Y 
pubUc key method. 60 b longer than X), compressive, or neither, depending on 

Reusers who wbh to look at the software component the relative sizes of the dphertcxt (Y) and key (JQ. For 
decrypt die hash digest and the DES key by applying purposes of thb invention, we are primarily concerned 
the publicly known decryption key of the software with one-way compressive functions, where X is much 
component's publisher. The reuser regenerates the hash longer than Y. Typical values herem will be a 100,000 
digest from die encrypted software component and 65 bit length for X and a 100 bit length for Y. A method for 
compare it with the just-decrypted hash digest The generating such an extremely compressive one-way 
reuser can use the just-decrypted DES key to quickly function are well known in the art Compressive func- 
decrypt the encrypted software component tions are also called ^'hash functions'* and a one-way 
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compressive fuocdon is therefore called a one-way bash 
function. 

A method for deriving a one-way function from a 
conventional cryptographic system is described in sec- 
tion V of Diffic and Hellman's paper, **New Directions 3 
in Cryptography", IEEE Transactions on Cryptogra- 
phy, vol IT-2i November 1976 (seCr especially FIG. 3 
therein). If X is the plaintext representation of a soft- 
ware component and Ejc^(X) represents encrypted ver- 
sion of X using an encryption algorithm E with a cryp- lo 
tographic key Ke. Using a hashing function the hash 
digest Ud is defined as foUows: 

Computing Hi/ from X merely involves an encryption 
B/r<(X) and computing the hashing function (H) given 
the encrypted software component EiCj(X) and is there- 
fore a simple computation. But computing £iCf(X) or X 
from Hrf involves cryptoanalysis because X=H-J(H^ 
and is therefore difficult to compute. 

One way hashing functions are well known in the art 
Hashing functions suitable for use with the present in- 
vention are described in U*S. Pat Na 4»924,51S tided ^5 
"Secnre Management of Keys Uang Extended Control 
Vectors" to Matyas et al and U.S. Pat No. 4,908^61 
titled "Data Authentication Using Modification Detec- 
tion Codes'* to Brachd et a] which are hereby incorpo- 
rated by reference. 

IV. PUBLISHING 
A. DESCRIPTION 

When a publisher deckles that a software component 
is ready for pabiishing several steps mnst be taken to 35 
produce the software component record, as defHcted in 
FIG. 4. Referring now to FIG. X which depicts data 
objects as circles and functions as rectangles, we start 
with a software component 301 in a plaintext represen* 
tation. This plaintext representation is typically source 40 
code and is typically stored m ASCII or EBCDIC for- 
mat although, other formats may be used with the pres- 
ent invention Q-e., for instance one of the many word 
processing formats). The plaintext representation of the 
software component is transformed by encryption firnc- 45 
tk3n of cryptographic algorithm #1 303 nstng crypto- 
graphic key 305. Although a pui^ key cryptogr^hic 
algorithm may be osed for cryptographk: algorithm #1 
303 it is preferable to use a conventional cryptographic 
algorithm like DES. This is due to performance consid- SO 
ecations. Since the software component may be quite 
large, a fester encryption function is desired so that a 
reuser is not kept waiting during decryption. Also a 
conventional cryptographic algorithm makes browsing 
of the software coBD^onesX by the reuser much fester. 55 
Note that if a pubHc key cryptographic algorithm type 
is used for the cryptographic algorithm #1 303 then the 
key supplied for cryptographic algorithm #2 313 would 
be the public key (assuming that the private key is used 
to encrypt). tiO 

The ou^ut of applying the encryption function for 
cryptognphk algorithm #1 using the cryptographic 
key 305 is the encrypted software component 307. The 
encrypted software component 307 is then mput to the 
hash function 309. The hash function 309 takes the en- 65 
crypted software exponent 307 and produces a hash 
digest 311. Suitable h«<hing functions were rfwgiLy^ 
above. The hash digest 311 and the key 305 are then 
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encrypted using a the encryption frmctiOT of crypto- 
graphic algorithm #2 313. Cryptographic algorithm #2 
313 must be of a public key type. Both the hash digest 
311 and key 305 are encrypted using the encryption 
function of cryptographic algorithm # 2 with the pri- 
vate key 3 15. The private key most be properly safe- 
guarded by the publisher. No one need know the pri- 
vate key 315 except the publisher. It b the public key 
associated with the private key, that can not be used to 
derive the private key, that is placed m the directory for 
use by reusers. The publisher must make the public key, 
associated with private key 315 available to potential 
reusers in order for the reosen to obtain the plaintext 
representation of the software component 

The hash digest 311 and key 305 are encrypted using 
the private key 315 and encryption function of crypto- 
graphic algorithm #2 313 to prodoce and encrypted 
hash digest 317 and the encrypted key 319. Therefore, 
we have produced the encrypted software component 
307, encrypted hash digest 317, and the encrypted key 
319. The only data component missing £com that shown 
in FIG. 4 is the descrq)tive plaintext component The 
descriptive plaintext component may be created by the 
publisher using aay word processor or a by filling in a 
form provided by the reuse Ebtary or extracting the 
information from the plaintext representation of the 
software component or from design or requirements 
specifications or any other source. This information 
may consist of an abstract, a description, indexes, identi- 
fication of other software component frosn. wltich the 
particular sofbvare component was derived, identifica^ 
tion of other software components required to make use 
of the software component, testing status, relationship 
to other software components, publisher identity, intel- 
lectual propoty information. The reuse library may 
provide this information or a portion of the information 
as well as additional information to the descriptive 
plamtext con^xinent The descriptive plaintext compo- 
nent is discQSMd in detail below in the section discussing 
the reuse library. 

FIG. 5 describes a method that can be in^iemented in 
hardware or software or any combination of hardware 
and software. In step 501 the plaintext representatbn of 
the software component is encrypted by a first crypto- 
graphic algorithm using a key. In step 503 the encrypted 
software component produced in step 501, is hashed to 
generate a hash digest The hash digest from step 503 
and the key used in step 501 are then encrypted using a 
second cryptographic algorithm in step 5(fe. The sec- 
ond cryptographic algorithm being of a public key type, 
using the private key for encryption from the mnriatfd 
private and public keys. The encrypted software com- 
ponent of step 501, the encrypted hash digest of st^ 505 
and the encrypted key of step 505 are then sent to the 
reuse library along with descriptive plaintext compo- 
nent for storage and other processing perfonned by the 
reuse library. 

B. EMBODIMENTS 

It should be noted, that the functions described in 
FIG. 3 and steps of FIG. 5 may be carried out in either 
hardware or software or a combination of both. As 
mentioned in the cryptographic sections above many 
different cxyptographic systems and functions are com- 
mercially available in hardware and software embodi- 
ments. Chip sets, boards, boxes, cards and software arc 
available for performing the encrypting and hashing 



functions required for publishing a software compo- 
nent The preferred embodiment of the present inven- 
tion is to have these functions performed using software 
so that interfacing with the reuse library can be per- 
formed from any computer system equipped with the 5 
software. 

The preferred embodiment of the present invention 
comprises one or more software systems. In this con- 
text, software system is a collection of one or more 
executable software programs, and one or more storage 10 
areas, for example, RAM or disk. In general terms, a 
software system should be understood to comprise a 
fully functional software embodiment of a function, 
which can be added to an existing computer system to 
provide new function to that computer system. One IS 
embodiment of the present invention is shown in FIG. 
8. The embodiment of the publishing workstation de* 
picted m FIG. 8 is a collection of functions and data 
items. These functions and data items were explained in 
detail above. As shoMoi in FIG. 8 the preferred embodi- 20 
ment of this invention comprises a set of computer pro- 
granis for the generation of an encrypted software com- 
ponent 90, encrypted hash digest 91, encrypted key 92, 
from a software component 97 along with the descrip- 
tive plaintext component 93. FIG. 8 includes a proces- 25 
sor 20 connected by means of a system bus 22 to a read 
only memory (ROM) 24 and memory 38. Also included 
in the computer system in FIG. 8 are a display 28 by 
which the computer presents information to the user, 
and a pluraUty of input devices including a keyboard 26, 30 
mouse 34 and other devices that may be attached via 
input/output port 30. Other input devices such as other 
pointing devices or a voice sensors or image sensors 
may also be attached. Other pointing devices include 
tablets, numeric keypads, touch screen, touch screen 3S 
overlays, track balls, joy sticks, light pens, thumb 
wheels etc. The I/O 30 can be connected to communi- 
cations lines, rense library, directory, disk storage, input 
devices, output devices or other I/O eq ui pme n t The 
computer system shown in FIG. 8 may also be con- 40 
nected to the directory and reose library via the com- 
munications adaptor 36, Communications between the 
publisher and other systems is provided via the commu- 
nications manager 75. Communications manager 75 
provides for the sending and receiving of data and re- 45 
quests. The memory 38 includes a di^Iay buffer 72 that 
contains pixel intensity values or character values for 
presentation on the display. The display 28 periodically 
reads the values from the display buffer 72 displaying 
these values or characters onto a display screen. 50 

As shown in FIG. 8, the memory 38 includes a word 
processor 80, a hash function 81, an encryption function 
for cryptographic algorithm #1 82, a encryption func- 
tion for cryptographic algorithm #2 83, h^ digest 94, 
key 95 and private key 96. 55 

The hash 81, encryption 82, encryption 83 and the 
word processor Amotions cause the software compo- 
nent tecord 89 with its four components: encrypted 
software component 90, encrypted hash digest 91, en- 
crypted key 92 and the descr^tive plaintext component 60 
93 to be generated as described above. Tbe supervisor 
98 can coordinate the data flow between these fbnctions 
and make sure the output generated is sent to the reuse 
library. Alternatively, each function can perform the 
required data flow as required. Also shown in the mem- 65 
ory 38 is an operating system 74. Other elements shown 
m memory 3S include drivers 76 which interpret the 
electrical signals generated by devices such as the key- 



board and mouse. A working memory area 78 is also 
shown in memory 38. The working memory area 78 can 
be utilized by any of the elements shown in memory 38. 
The working memory area can be ntiUrM by any of 
functions it may also be used to store the various data 
items. The working memory area 78 may be partitioned 
amongst the elements and within an element The work- 
ing memory area 78 may be utilized for communication, 
buffering, temporary storage, or storage of data while a 
program b running. 

V. REUSING 

A.DESCRIFnON 

The process used by the reuser b very similar to that 
used by the publisher except the steps are reversed. 
Referring now to FIG. 6 which depicts data objects as 
circles and functions as rectangles. FIG. 6 provides a 
functional overview of what a reuser needs to do in 
order to reuse a software component stored in the rense 
library. Althoug}i not shown on FIG. 6 the reuser first 
retrieves or causes the rense library to retrieve a soft- 
ware component record. The components of a software 
conq)ODent record are depicted in FIG. 4. FIG. 6 shows 
the encrypted software component 601, the encrypted 
hash digest 603, and tbe encrypted key 605 of the re- 
trieved software component record. Note that the 
reuser also requires public key 607. Public key 607 is 
obtained from the directory of publisher's public keys. 
The directory is disci ivsfd in detail below. The public 
key may be requested from the directory from informa- 
tion contained in the descriptive plaintext component 
(not shown) of the retrieved software component re- 
cord. Thus the reuser knows which publisher's public 
key to request The public key 607 is used with the 
decryption function of cryptographic algorithm #2 61L 
Using the public key 607, the decryption fiznction pro- 
cesses the encrypted hash digest 603 and the encrypted 
key 605 to yield the hash digest 614 and the key 619, 
respectivdy. 

The encrypted software component 601 is hashed by 
hash function 609 to yield hash digest 613. The hash 
function 609 utilized in the reuse function must be the 
same hash function that was utilized by the publaaher. 
The hash digest 613 generated by the hash function 609 
is then compared with the hash digest 614 decrypted 
from decryption function 6tL This comparison is made 
by the comparator function 617. If the hash digest 613 
and hash digest 614 are identical then no modification of 
the software component has taken place and no corrup- 
tion will be indicated by the corruption indicator 6i23. If 
however, the hash digests are not identical then the 
software component has been corrupted and a corrup- 
tion indication mnst be given. The indicator could be 
any visual or audible signal A message flashing on the 
screen accompanied by beeping is usually sufficient to 
infonn the reuser that the software component has been 
cc»Tupted. 

If no corruption indicator has been generated the 
encrypted software component is decrypted using the 
decryption function of algorithm #1 615 and the key 
619 obtained from decryption function 611. Note even if 
a corruption indication was geiierated the encrypted 
software conq>onent might be decrypted but presum- 
ably the reuser would not want to use the corrupted 
component for fear of the effect of the corruption (e.g., 
possible viruses, bugs, etc). The result of decryption 
function ins using die encrypted software component 
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^1 as input and the key 619 is the software component 

621. The software component 621 can now be viewed ^' EMBODIMENT 

by the reuser on the display, edited, modified or incof" It should be noted that the functions described in 

porated into a larger systems as the reoser desires. The HG. 6 and steps of FIG. 7 may be carried out in either 

reuser may, also browse the software component 621 ^ hardware or software or a combination of both. As 

using the browsing means described below. If the com* mentioned in the cryptographic sections above many 

parator function 617 detects corruption it could tag (or different cryptographic systems and functions are com- 

placc text inside) the plaintext representation of the mercially available in hardware and software embodi* 

software component 621 with a warning label that indi- ments. Chip sets, boards, boxes, cards and software are 

cates to anyone browsing the software component that available for performing the decrypting and hashing 

the component has been modified and that reuse is not functions required for reusing a software component or 

recommended FIG. 7 describes a method that can be obtaining a phuntext representation of one: The pre- 

implemcntcd m hardware or software or any combina- embodiment of the present invention is to have 

tion of hardware and software. In step 700 one or more t, P«rfo™ed usmg software so ^ 

software component records are retrieved or caused to facmg with the reuse hbrary can be performed from any 

be retrieved ftom the reuse Ubrary. In step 701 the <»mputer8y^ equipped with tte softv^ 

pubUc key associated with the publisher of the retrieved J^V^"^^!"^^? "^l^^f^" 

software component is obtained from a directory of SIL^^S"*^ u^"^"^^^' '^''"^^'^ 
«nw;ch*r'e ^nKH^ T« •♦-^ u-.u ^« dcpictcd ffi FIG. 9 IS a collection of functions and data 

«d ^ items, Tliesefunctiomanddataitcmswereexplaiiiedm 

digest and the cncn^ted key are decrypted luug the ^ ^ preferred embodiment of&c present 

second cryptographic algorithm and the pubfic key ;„v«ri«™ 

obtained from rtep 701. la step 705 the enciypted soft- IST ^ V ^ "^^^^ ^ 

^/ 7 *^ V^rr. i*^ this context, software system s a collection of one or 

^^TsTri:^ l^^^^'^Sf^i'fl™? « ™« "ft^"* P«>8«»». «ui one or nwie 

diehadidjgKt ob^ from rtep 705 «k1 the hash 25 ^ f„ ^j,^ RAM or disk. In ga«l 

oigesr irom step lu^^e comparea ir equal men an terms* a software system shooid be understood to com- 
indication that the software component was not modi- ^ f^y fimctional software embodhnent of a fimo- 

fied or corrupted may be provided (not shown). If not tion, which can be added to an existing computer sy*. 

equal then in step 7U an indication b provided to the tem to provide new function to that computer system, 

reuser that the software coiiqwnent has been corrupted ^ As shown in FIG. 9 the preferred embodiment of this 

or modified in some fashion. In step 713 the encrypted invention comprises a set of computer programs for the 

software component is decrypted using the first crypto- generation of plaintext representation of the software 

graphic algorithm and the key decrypted m step 703 to component 97. The computer system of FIG. 9 includes 

provide the plamtext representadon of the software 33 a processor 20 connected by means ofa system bus 22 to 

component Other steps may be added for iostance to a read only memory (ROM) 2^ and memory 38, Also 

support browsmg as dis c ussed below. included in the computer sy^em in FIG. 9 are a display 

R TOnw<:TKO TATS AW ^ ^ conqjuter presents information to the 

b. iJKOWblNCj M£AN5 ^^^^ ^ ^ pluraHty of mput devices including a key- 

After retrieving a software component record from 40 board 26» mouse 34 and other devices that may be at- 

the reuse library the reuser may easily browse informa- tached via input/output port 30. Other input devices 
tion contained in the descriptive plaintext compooent of ^ other pointing devices or a voice sensors or 

the retrieved software component record. The biowt- sensors may also be attached. Other pointing 

ing displays or prints information in human readable devices include tablets, numeric keypads, touch screen, 

format The browsing means can write direcdy to the 43 touch screen overiayst track balls, joy sticks, fight pens, 

dispky buflFer or via operating system calls. The de- thmab wheels etc The I/O 30 can be connected to 

scriptive plaintext component <rf the software record communications lines, reuse Ubrary, directory, disk 

contams mformadon desgned to enable the reuser to storage, mput devices, output devwes or odier I/O 
quickly determine whether a particular software com- computer system shown in FIG. 9 may 

ponent may be of value to the reuser. The reuser may ^ be connected to the directopra^ 

also browse the plaintext representation of the software ^ commmucations adaptor 36. Commumcatioiis be- 
component This requires that the encrypted software "."^ '^ff™ ^ ?~r*^ ^ 

component of the software component ie^ by de- ^^^T^^^- Commum«tio«« manager 
crypt«i, asdescribedabove, Bec^thepresentin^^ provute the for sendmg aud reccmng of data and 

« WMUM pnacat uvea ^_ Yeouestx. The memorv 38 includes a disolav buffer 72 

tion uses a symmetric crypto^hic algorithm for en- tSStaii iS^Sti^SS Jr cE^SiS 
cryption and de^VP^n of Jiie software compownt, pr«entation on the display. The display 28 periodi- 

decryption can be performed relatively fast In fact, caUy reads the vahies from the dispkybufffcr 72 d^ky- 

whfle the reuser b browsing die plamtext portion the j^g these values or characters onto a disphiy screen, 
decryption can be takmg place m the background. ^ A software component record 89 obtained from the 

Thus, the reuser is presented with mformation con- reuse Ubrary is shown in memory 38 along with its four 

tained m the plaintext portion and then the plaintext components: the encrypted software 90, the encrypted 

rcprcsentotion of the software component in a seamless hash digest 9t the encrypted key 92, and the descrip. 

fashion so that decryption is transparent to the reuser. tive plaintext component 93. A public key 901 is also 

This requires an operating system that supports back- 65 shown in memory 38, The public key 901 may have 

ground procesang or multi-processing or multi-tasking. been obtained via a network, via communications 

If corruption of the software component is detected adapter 36 or iiq>ut by the reuser using any of tlie input 

then the reuser could be informed as indicated above. means specified above. 



As shown in FIG. 9, the memory 38 includes a 
browsing means 903. a hash function 81, an decryption 
function for cryptographic algorithm #1 905, a decryp- 
tion function for cryptographic algorithm #2 907, and a 
comparator function 909. These functions enable the S 
computer system to obtain the plaintext representation 
of the software component 97 with an indication of 
whether or not the software component 97 has been 
corrupted as described above. The supervisor 911 can 
coordinate the data flow between these functions and 10 
make obtain the software component from the reuse 
library. The supervisor may after receiving the software 
component record 89 cause the browsing means 903 to 
immediately display information contained in the de- 
scriptive plaintext component 93 allowing the reuser to 13 
page or search throu^ the information so provided. 
While pennitting the reuser to browse, the encrypted 
software component 90 can be decrypted. As an alter- 
native to the supervisor 911, each function can perfonn 
the required data flow as required. 20 

Also shown in the memory 38 is an operating system 
74. Other elements shown in memory 38 include drivers 
76 which interpret the electrical signals generated by 
devices snch as the keyboard and mouse. A workmg 
memory area 78 is also shown in menx)ry 38. The work- 25 
mg memory area 78 can be utilized by any of the de- 
ments shown in memory 38. The working memory axea 
can be utiliyrd by any of functions it may also be used to 
store the various data items. The working memory area 
78 may be partitioned anoongst the elements and within 3Q 
an element The working memory area 78 may be uti- 
lized for communication, buffering, temporary storage, 
or storage of dau while a program is running. 

It should be noted that the reuser worksution and the 
publisher workstations embodiments can easily be pro- 3 j 
vided in a single computer system that allows an opera- 
tor to be a reuser and a publiiher. This combined work- 
station may also contain an electronic directory. 

VL REUSE LIBRARY 

A. DESCRIPTION ^ 

The reuse library is where the publishen send their 
software component record for access by the reusers. 
The reuse library can be electronically networked to 
the publishers or the publishers may simply send the 4S 
encrypted software component through the mail on 
diskettes, tapes or other storage media. The reuse li- 
brary must make the software component record avail- 
able for browsing and selection by the reusers. Thus, the 
reuse library must provide storage and retrieval func- X) 
tions for the software component record. Each software 
component record receivai by the reuse library must be 
registered so that the publisher and software component 
record can be uniquely identified. This usually entails 
assigning the software component record a unique iden- 55 
tifier. 

In addition to the reuse hbrary's storage and retrieval 
of software component records the reuse library may 
provide for other services as well. These include cata- 
loguing so that software component records referenc- 
ing other software component records can be easily 
located. Indexing and classifying the software compo- 
nents are other functions that the reuse library may 
provide to assist reuser's in more quickly and efficiently 
locating relevant software components. The reuse li- 
brary may maintain its own classification data for classi- 
fying the software component The reuse library may 
also require that the publkher 511 out a requested form 
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so that the classification may be more easily carried out 
The classification criteria can consists of any criteria 
useful for discriminating among classes of reusers. Ex- 
amples of classification criteria are domain or applica- 
tion oriented criteria. The reuse library may reclassify 
software components as the criteria evolve over time. 

In order for the reuse library to perform these other 
fiisctions, the publishers may be required to furnish 
certain plaintext information in the descriptive plaintext 
component of the software component record. The 
descriptive plaintext component thus contains mforma- 
tion that is not encrypted. The information contained in 
the descriptive plaintext component need not be human 
readable l>ut can t>e easily convened to human readable 
format The information contained m the descriptive 
plaintext component may consist of an abstract, a de- 
scription, mdexes, identification of other software com- 
ponent from which the particular software component 
was derived, identification of other software compo- 
nents required to make use of the software component, 
testing status, relatimship to other sofbvare compo- 
nents, publisher ideotrcy, hxtellectual property mfotma- 
tion. The abstract and/or description wodd among 
other things decide the context for which the software 
component was developed. Intellectual property infor- 
mation may contain licensing and/or derivation infor- 
mation and/or ownership information and/or a certifi- 
cate of orignxality that certifies that the publisher cre- 
ated the work. Other software components referenced 
by the current software component may be identified by 
their unique identifier or some other suitable descrip- 
tion. This informadon is essential for the reuse library to 
perform indexing, catak)guing and dassifkadon steps 
and to provide reusers with complete information on a 
particular software component in order to make a fiiOy 
mfbrmed selection deciskm. 

The reuse library may also add plaintext or a refer- 
ence to plaintext that are reviews of the software com- 
ponents. The descriptive plaintext component could 
contain references to these reviews or actual contain the 
reviews themselves. Reusers may provide reviews con- 
cerning their experiences with using or adapting the 
software component for thdr own purposes. The re- 
views may also be created by independent reviewers as 
the market place for reusable components grows. In 
summary the descriptive plaintext component may con- 
tain information provided firom any source. The de- 
scriptive plaintext component may be assembled by the 
reuse library or the publisher or both. 

FIG. 4 depicts the logical view of a record for one 
software component 401 that is provided to the reuse 
library. The reuse library m registering the software 
component record would assign the software compo- 
nent record a unique identifier (not shown) and I hen 
perform the necessary functions to store the software 
component record. The software component record 
401 consists of four con^nents: the encrypted soft- 
ware component 403, the encrypted hash digest 405, the 
60 encrypted key 407 and the descriptive plaintext compo- 
nent 409. Note the descriptive plaintext component is 
not the plaintext representatira of the software compo- 
nent As was stated above the descriptive plaintext com- 
ponent 409 may consist of any or all of the following 
65 data: abstract a description, indexes, identificatk>n of 
other software component from whk::h the particular 
software component was derived, identification of 
other software components required to make use of the 
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software component, testing status, relationship to el's workstations, reuser's workstations, other tense 

other software components, publisher identity, intellec- libraries, directory, disk storage, input devices, output 

tual property infonnatba. Other information may also devices or other i/0 equipmeot The computer system 

be included in the descriptive plaintext component as shown in FIG. 10 may also be connected to the poblish- 

requiied or needed, 5 ex's workstations and the reuser's workstations via the 

It should be noted that the software component re- communications adaptor 36L Communicatiom between 

cord 401 as shown in FIG. 4 is a logtcal view of the the reuse library and other systems is provided via the 

software component record. The software component cn rntminifsiti finaTnanflgwTS rift mniimiffati rme managw 

record 401 may be physically stored in a variety of 75 provides the for sendmg and receiving of Ha^a and 

manners. Thus, the software components may be stored 10 requests. The memory 38 includes a display buffer 7Z 

as a flat file or in database table or set of database tables The display 28 periodically reads the values firom the 

or as objects or sets of objects in an object oriented display buffer 72 displaying these values or chaxacten 

database. A repository may also be used for storing the onto a display y r^n 

information containeid in the software component re- A plurality of software component records 1001 are 
cord. (See IBM System Journal Repository Manager 15 shown in memory 38 each having four components: the 
Technology, VoL 2% No. 2, 1990 pp 209-227, by encrypted softvwe, the encrypted hash digest, the en- 
Sagawa hereby incorporated by reference). It should be crypted key, and the descriptive piatn»i»Tt component 
noted that any method of storing end retrieving the The software components may be stored in a reposi- 
information contained in the software component re- toxy, a relational database, a flatfOe, object oriented data 
cord will work with the present invention. However, 20 base or any other means. The retrieval means 1003 and 
d atab as e or repository embodiments are pr efeife d be- the storage means 1005 would then interfice with the 
cause they permit the reosers to more easily search and storage subsystem for the storage! and retrieval of soft- 
locate a desired software component and makes the ware component records. Also shown in memory are 
reuse Hbrary easier to maintain This searcfaing/bfow- cataloging means 1007, classifying means 1009, and 
sing may entail decryption of the encrypted software 25 indexing means lOU. Abo shown are the classifying 
component or may use the plaintext description and crrteria 1013, software component reviews 1015 and 
references as described above. indexes 1017. The retrieval means 1005 may also con- 

The reuse library may be located on any oompoter tain a search capability that permits reusers connected 

system with suitable storage capability. A file server or to the reuse library to search through software oompo- 

da t abas c server machine where access is provided to 30 nent records 1001 uses a search criteria, key words, 

publishers and reusers via a client/server architectore is classification criteria, eta. This search capability oonid 

a prefierred embodiment The publisheis and tensers use information contained in the descriptive plaintext 

may be connected by phone lino, LAN, WAN, MAN, component of the software component records, 

wireless, cellular telephooe or any other communica- Also shown in the memory 38 is an operating system 

tions iTO^ns 35 74. Other elements shown in memory 38 include drivers 

As was mentioned above the present invention coo- 76 which interpret the electrical signals generated by 

tempUtes working with multiple libraries. The libraries devices sudi as the keyboard and moose. A working 

may specialize in particular problem domains, particu- memory area 78 u also shown in memory 38. The work- 

lar languages, any other criteria or combinations of the ing memory area 78 can be utilized by any of the de- 

above. 40 menti shown in memory 38. The worldng memory area 

B EMBODIMENTS can beutilizedby any of functions it may also be used to 

tj. tiMDui^ixvun 1 a jjQj.^ jjjg various data items. The working memory area 

One embodiment for the reuse library of the present 78 may be partitioned amongst the elements and within 

invention is shown in FIG. 9. The embodiment of the an element The woridng memory area 78 may be vti- 

reuse library as depicted in FIG. 9 b a cdlection of 45 lized for oonununication, buffering, temporary storage, 

functions and data items. These fimctions data items or storage of data while a pr o gram is nmning. 

were explained in detail above. It shonld be noted that die reaser workstation and the 

The prefened embodiment of the present invention publisher workstations and reuse library endxxiiments 

comprises one or more software sysusms. In this coo- can easily be provided in a single computer system that 

text, software system is a collection of one or more SO allows an operator to be a reuser and a puUisher or a 

executable software programs, and one or more storage hbrarian. This combined workstation may also contain 

areas, for example, RAM or disk. In general terms, a an dectrooic directory, 
software system should be onderstood to comprise a 

fully functional software embodunent of a function, i^iRECTORY 
which can be added to an existing computer system to 55 The directory of publisher's public keys 105 (FIG 1 A 
provide new function to that computer system. As FIG. 2) is basically a list or table. One column in the 
shown in FIG. 10 the prefened embodiment of this table contains the publisher and the other o^unm con- 
invention comprises a set of computer programs for the tains the publisher's publk key. The publisher's public 
storage and retrieval of software component records. key is required by the reuser in order to obtain the 
The computer system of FIG. 10 includes a processor 60 plaintext representation of any software component tiie 
20 connected by means ofa system bus 22 to a read only publisher places in the reuse library. A publisher may 
memory (ROM) 24 and memory 38. Also included in have more than one public key (this implies that the 
the computer system in FIG. 9 are a display. 28 by publisher has more than one private keys). Publishers 
which the computer presents information to the opera- require write access to the directory or the ability to 
tor of the reuse library and a plurality of input devices 65 place their public keys in the reuse library, 
uaicluding a keyboard 26, mouse 34 and other devices The reuser desiring to obtain or browse a software 
that may be attached via mput/ontput port 30. The I/O component nmst obtain the publisher public key. The 
30 can be connected to communications lines, publish* directory may be contained on the same computer sys- 
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tern as the reuse library or another computer system or 
the reuser's computer system or no system at alL Thus 
the public keys may be contained in a notebook or print 
out In this case the public key would be looked up in 
the book for input to the decryption hardware or soft- 
ware. Reusers require read access to the directory. 

If the directory is stored on a computer system the 
reuser would obtain the public key and use it to decrypt 
the desired software component as described above. 



While the invention has been described in detail 
herein in accord with certain preferred embodiments 
thereof, modifications and changes therein mny be ef- 
fected by those skilled in the art Accordingly, it is 
intended by the appended claims to cover all such modi- 
fications and chaxiges as fall within the true spirit and 
scope of the invention. 

What is claimed: 

L In a network of computers comprising at least one 
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The reuser may obtain the pubUc key by requesting the 10 computer, the method for reusing software components 
1 . J ^^^^ ^ ^ *^ .1 i_ that maintains the mtegrity and authenticity of Ae soft- 

ware components, said method ccimpnsing: 
generating an software component record using the 
following substeps: 

(a) encrypting a plaintext representation of a soft- 
ware component into a encrypted software com- 
ponent with a first cryptographic algorithm 
uang first key; 

(b) hashing the encrypted software component to 
generate a first hash digest 

(c) encrypting the first hash digest and the first key 
using a second cryptographic algorithm with a 
second key, wherein said second cryptographic 
algorithm is of a public key type and said second 
key is the private key associated with at least one 
public key, said software component record con- 
sisting of the encrypted software component^ the 
encrypted hash digest, and the encrypted first 
key; storing the software component record in a 
reuse library; 

retrieving the software component record fiom the 

zense library; - 
generating the plaintext representation of the soft- 
ware component using the following substeps: 

(a) obtaining a public key associated with the sec- 
ond key from a public key directory; 

(b) decrypting the encrypted hash digest and the 
encrypted first key into the decrypted first key 
and the decrypted first hash digest using the 
public key and the second cryptograph^ algo- 
rithm; 

(c) hastidng the encrypted software compoaeot to 
generate a second hash digest; 

(d) comparing the second hash digest with the 
decrypted first hash digest, and if not identical 
indicating that the software component is cor- 
rupted, if identical mdicating that the software is 
not corrupted; 

(e) decrypting the encrypted software component 
into the plaintext representation using the de- 
crypted first key and tiie first encryption algo- 
rithm. 

2. The method of claim 1 wherein the Data Encryp- 



key associated with the publisher described in the plain< 
text portion of the software component record or via 
the unique identifier or a table provided by the reuse 
library or some other means. 

The directory may be placed on any computer sys- 
tem. A file server or database server where access is 
provided to publishen and reusers via a dient/server 
architecture is a preferred embodiment The ptiblishers 
and reusers may be connected by phone hues, LAN, 
WAN, MAN, wireless, cellular network or other com- 20 
munications means. 

The directory may also be placed in a trusted system 
with access to the directory provided via a trusted path. 
Using a trusted system and a trusted path provides addi- 
tional security in that only authorized individuals would 25 
have access to the public keys. Since the public keys are 
added to the directory by a trusted path and are ob- 
tained by only those parties granted access to the 
trusted system containing the directory would be able 
to access the directory and the public keys. A trusted 30 
file server can be utilized to provide an additional secu- 
rity mechanism. The trusted file server ffssential keeps 
the publisher's public keys semi-private in that only 
those individuals who are provided access to the trusted 
system can obtain access to the public keys. 

The present invention may also be utilized with a 
certification management system. A certification man- 
agement system can provide for the directory required 
by the present invention. A certification management 
system would handle public keys for other purposes and 40 
may also provided a means for certifying electronic 
signatures as well The certification management sys- 
tem might be part of a greater encryption infrastructure. 
The certification management system may allow others 
to electronidy look up each other's public keys. The 45 
certification management system could also handle key 
exchanges and digital signatures. The reusers and pub* 
Ushers might be connected to such a system by Interact 
or other network. 
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VnL ADVANTAGES AND CLOSING 

This present invention provides several advantages. 
The first advantage is that large software eon4>onents 
are encrypted and decrypted using a haX private key 



50 



scheme Qjkc DES) rather than the sbw public key 55 tion Standard is used as the first cryptog^^?hks algo- 



methods. A second advantage is that the software com- 
ponent is sent to the reuse library and retrieved fttnn the 
reuse library in encrypted form so that reusers cannot 
ignore authentication requirements. A third advantage 



rithm and the Digital Signature Algorithm is used as the 
second cryptographic algorithuL 

3. The method of daim 1 wherein the Data Encryp- 
tion Standard is used as the first cryptographk algo- 



is that the key associated with the conventional aigo- 60 rithm and the RSA is used as the second cryptographic 



rithm (the DES key) is encrypted so that adversaries 
cannot simply substitute a replacement key to accom- 
pany replacement text A fourth advantage is that the 
present invention can work any of the current crypto- 



graphic standards, like DES, and potential standards, 65 graphic algorithm. 



algotithm. 

4. The method of claim 1 wherein the Skipjack is used 
as the first cryptographic algorithm and the Digital 
Signature Algorithm is used as the second crypto- 



like skipjack. Alternatively, the present mvention can 
utilize the current de facto staxidard, RSA, or other 
pubUc key methods rather than RSA. 



5. The method of claixn 1 wherein the Skipjack is used 
as the first cryptogxaphic algorithm and the RSA is 
used as the second cryptographic algorithm. 
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6. The method of claim 1 wherein the software com- a means for obtaining the public key from the direc- 
ponent record includes a descriptive plaintext compo- tory, said public key associated with the second 
nent containing a description of the software compo- key of the desired encrypted software component; 

a first decrypting means for decrypting the encrypted 

7. The method of claim 6 wherein the descriptive 5 hash digest and the encrypted first key into the 
plaintext coinponent includes information regarding decrypted first key and the decrypted first it*^^ 
data rights and ownership rights. digest using the publk key and the second crypto- 

8. TTie method of claim 6 wherein the plaintext repre- graphic algorithm; 

sentation of the software component also mcludes infer- an hashing means for hashing the encrypted software 

mation defining the software components relationship 10 component to generate a second >^ ih digest; 

to other software component records in the reuse li- a comparing means for comparing the second l«wh 

^f^' digest with the decrypted first hash digest, and if 

9. The method of claim 7 wherein the plaintext repre- not identical indkating that the software compo- 
sentation of the software component also mcludes infor- nent is corrupted, if identical indicating that the 
madon defining the software components relationship 15 software is not corrupted; 

to other software component records in the reuse li- a second decrypting means for decrypting the en- 

crypted software con^xment into the plaintext 

10. The computer system comprismg: representation nsing the decrypted first key and the 
a reuse library havmg a plurality of encrypted sdt- first encryption algorithm. 

ware components each software component record 20 11 The system of daim 10 wherein the reuser work- 
having an enc^ted software component, an en- station also includes a display means for displaying the 
crypted hash digest, and an encrypted first key; plaiiitext representatkm of the software component 

said reuse library having a storage means for storing record and for providing an indication of corruption. 

encrypted software components; 12. The system of claim 10 wherein the reuser work- 

said reuse library having a retrieval means for retnev- 25 Station also inchides a browsing means for browsing 
ing encrypted software components; encrypted software componen t s stored in the reuse 

a directory containing a list of publishers and an asso- library, 
ciated list of public keys; 13. The system of claim 10 wherein the plurality of 

at least one publisher's workstation coapled to the encrypted software components and the directory are 
reuse library, said publishers workstation having 30 stored in a relatiooal database, 

an first encrypting means for encrypting a plaintext 14. The system of claim 10 wherein the plurality of 
represenUtion of a software component into a en- encrypted software components and the directory are 
crypted software component with a first crypto- stored in a object oriented database, 
graphic algorithm using first key; 15. The system of daim :0 wherdn the reuse hTwary 

an hashing means for hashing the encrypted software 35 indudes a catalogue means for assigning tiie software 
component to generate a first hash digest; component record a unique identifier and for classifying 

a second encrypting means for encrypting the first the software component record 
hash digest and the first key using a second crypto- 16, The system of daim 15 wlierein the catalogue 
graphic algorithm with a second key, wherein said means ^fa^ifi^^ the software component record accord- 
second cryptographic algorithm is of a public key 40 ing to a set of classification criteria, 
algorithm type and said second key is the publish- 17. The system of daim 10 wherein the Data Eacryp- 
er's private key associated with a publisher's public tion Standard is used as the first cryptographic algo- 
key, said software coziq>oneDt record consistmg ctf . ritfam and the Digital Signature Algorithm is used as the 
the encrypted software con^nent» the encrypted second cryptographic algorithm, 
hash digest, and tiie encrypted first key; 43 18.Thesystemof claim 10 wherein the Data Encryp- 

a communications means for sending the scrfhvare tion Standard is used as the first cryptographic algo- 
component record to the reuse library for storage rithm and the RSA is used as the second cryptographic 
by the storage means; algorithm. 

at least one reuser workstation coiq>Ied to the reuse IS. The system of claim 10 wherein the Skipjack is 
library, said reuser workstation having SO used as the first cryptographic algorithm and the Digi- 

a requesting means for sendmg a request to tiie reuse tal Signature Algorithm is used as the second crypto- 
library for a desired encrypted software compo- graphic algoritfamu 

nent, wherein said request causes tlie retrieval 20. The system of claim 10 wherein the Skq)jack is 
means of the reuse library to retrieve the desired used as the first cryptographic algorithm and the RSA 
software component and send it to the requesting 55 is used as the second cryptographic algorithm, 
workstation; * • « • « 
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ABSTRACT 



A server-aided computation method using a main unit 
for processing secret information and at least one auxil- 
iary unit for supporting a computation that said mam 
unit executes, said method compnsmg the steps of gen- 
erating d' from a secret key d' using m random numbers 

R, (where i»l m) generated by said mam unit 

having secret keys n and d, transferring d' and n from 
said main unit to said auxiliary unit, computing the 
following equation from a message block C in said aux- 
iliary unit 

.V-C' mod « 

computing X using said random numbers Ri and n m 
said main unit while computing M' in said auxiliary unit, 
transferring M' from said auxiliary unit to said main 
unit, and computing a message block M using the fol- 
lowing equation in said mam unit. 
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SERVER.AIDED COMPLTATION METHOD AND C.CnMx*;^ c -Cmod# .4» 
DISTRIBUTED INFORMATION PROCESSING 

UNIT rfi -rf mod-</-h. d;«rf mod-^*- 1» 

FIELD OF THE INVENTION ' ^ - * 

The present invention relates to a server-ajdcd com- At the time, the following equations are satisfied. ^ 
putation method and a distributed information process- 
ing unit for secretly distributing information of a host '«i«C, «'mo<jp 



10 



computer into a plurality of auxiliary units which com- 
pute the information. '«:»C; ^ mod p 

DESCRIPTION OF THE RELATED ART Thus, the pla.n «x. M can be obtained as a root o( the 

When a security service is used with cryptosystem. it following simultaneous congruent expressions, 
is very important to safely distribute and control key 

information. M-mnmodp) 



■ lOl 



The open key cryptosystem RSA proposed by Ri- M-m.dnodsi) 
vetst et. al has come to public notice as a cryptosystem 

for solving most of such key distnbution problems. The ,„ The RSA crvf«n.v«.-. a r 

the present mvention is based on the RSA cryptosys- -° signature •Mn 7^r«!17hl ' 

tem. which IS described in detail. ftJlows " ''P'"'*** 

KEY GENERATION 
_. 5«.*/«mod« 
First, generate any two large different pnme numbers 
p and q-Generate n-pK) as a product of p and q being " where a plain text is M and a sisnature ie.« is S 

nSSnu'crrirhi^?*;''^'' ^"-J' rVvl' r"*? "^^-^ cryp.osysrem can be executed .n 

\ represents Carmichael function and LCM (p-l. the above method. Now. outline the cr>ptosv stem 

a«.ns7 [ A r 1^ 'a^^H^^ '* w'"""''' 30 Pe"on are made open to the public m the form of 

against L (3SeS -L- 1) and obtam the inverse ele- a list. Thus, any one can access the keys. 

ment of multiplication, d. for e m the modulus L. B. Secret keys d. p. q. and Wn) are kept secret to ,h. 

public. The person who has the secret keys should take 
care not to disclose them. 



edvi mod L 



The (e. n) produced in the above method is a key for " , C. Besides the encryption function, a signature func 

an encipherment. The key can be deciphered using (d, Vn'^.^/'l'l^ r o c 

n). ^ * D. To secure the safety of the RSA cryptosvsiem. tt 

IS necessary to select around 100 digits in decimal nota- 
ENCIPHERMENT AND DECIPHERMENT "O" ^or the number of digits of the secret keys p and q 

A plain text M and a code C are both integers less ^ " becomes a value of around 200 digits m 

than n. They are enciphered by the following equation notation, resulting m requiring a huge process- 

In the following descnption, it is necessary to assume <"| amount of computation for conversions between the 
that any equal sign represents that a value on the left . "^^^P*^*™*"' decipherment, 
side IS computed by using the nghi side operation method for maximizing the benefits 

43 of the RSA cryptosystem. it is preferable to issue an 
c- yr mod-ff individual key, to store the key in a portable recording 

medium, and to have the person who owns the ke> 
M can be obtained from C in the following equation. !^*"y " case, the item B described above is v er\ 

important in the system operation. As the recording 
.w-c*mod.« (jj 50 medium of the personal secret key which satisfies ihe 

, condition of the item B. an IC card is most suitable as a 

I he conversion of the decipherment can be speeded portable and personal coihputwg and recording appara- 
up by using the secret information codes p and q of the lus. However, when the RSA cryptosystem using IC 
receiving side. This method is descnbed in a thesis writ- cards is built up. the following two problems arise 
ten by J J. Quisquater et al. Fast decipherment algo- 55 When a key is stored in the IC card, due to the re- 
r .1" , cryptosystem". Electron. quiremeni of the item B above, ideally, it is preferable lo 

T« JLlnt^^'lK^^'^ decrypting conversion and generate a 

TO compute the value of equation (3), obtain it in signature in the IC card. Since the IC card has an access 
moduli p and q rather than directly obtaining it in mod- control function which compares a password, when the 
r«J!h" hilnT '^'"r^f ^ theorem from the 60 secret keys d. p, q. and Mn) is convened in the IC card. 

^,u.ru^ obtained, obtain the plain text. (For deuil the secret key d can be prevented from bemg divulged 
"fiLnrf^ ^n"!! «™'«^*;jheorem see a thesis titled from the IC card. However, because of the huge pro- 
orlr it^Sn (Modem Cryptosystem The- cessing amount descnbed in the item D and insufficient 

Info^^^^ ' ^""il"" computation capacity of the IC card, when the RSA 

ironies, infonnation and Communication Engmeers. (p. 65 code is convened by the IC card, it is difficult to ac- 

dj. m,. .mi m: „ follow, ,„,„ „ ^ ^ ^^^^ IITpo«,bT. ,o 
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consider to mount m RSA dedicated high speed com« tiation computacion can be efTectiveiy performed by the 

putation LSI on the IC card, an increase of the IC card IC card whose computation capacity is relatively small 

cost is mevitable. In addition, to the terminal unit, the IC card sends d' 

On the other hand, it is quite easy to use the IC card converted by the equation (15) rather than d. thereby 

as a key memory with the access control function. By 3 enhancing the degree of safety. When the server-aided 

having a unit with a high computation capacity other computation is performed in the manner described 

than the IC card, for example, a lermina] unit execute above, (he code conversion can be effectively 

the complicated code conversion, n is possible to ac- formed with the computation capacity of the termmal 

complish the practical processing speed. However, in ^ ^^11 as increasing the degree of safety of the 

this case, since d is passed to the terminal unit, unless the \0 secret key d. 

design, maintenance, and control of the terminaJ unit described above, when secret information such as 

are carefully done, d may be divulged to another person j^g^ crypiosystem is computed, if a unit computes 

via the terminal unit. In addition, d may be unexpect- ^ ^ processmg amount of information, it takes much 

edly stolen via a false terminal unit. computation time. For example, if an IC card whose 

To solve such two problems recently means for the 15 computation capacity is relatively small executes such 

IC card to efficiently perform the RSA code conversion .^formation, it takes much computation t,me. In addi- 
usmg only the computation capab.l. y of the terming 

umt without divulging ^^^^^^'^^^^^^^^ well as the mam computation unit to share the computa- 

key d to the terminal unit have been proposed. This i j * u r . w-. . . - .u — , 

method is named ^server-aided computation method" 20 ^^"^^ V ^ information between them so as 

taken from the proposers. Although the servcr-aided to reduce the computation t.me^ However, .f the secret 

computation meihod is a wide concept, the method |nformaiion is directly sent to the auxiliary umt. « may 

remarkably relating to the RSA code conversion is \^^oicn by the unit or a third party. For example, 

described in the thesis titled "Anzenna Keisan Iraihou ^ " ^^'^"^^j ^'^^ * 

Ni Tsuite (Safety Computation Request Method)", by 25 computation at a high speed, ihe secret mforma. 

Kaio. Maisumoto, and Imai. Code and Information "on necessary for the deciypiion and generation or a 

Secuntv Symposium Material FO, February 1988. The signature known by the external unit and 

meihod' is described m the following. t^^««*>y ^^e information may be invahdly used. 

As a preparation, firstly obtam r^ r, and R which o^^" *«ret information usmg the 

satisfy the following equations. io "*«rver-aided computation" which has been proposed 

can be effectively converted using the computation 

r^mR -'modc^-D (ID capacity of an external unit without divulging the secret 

information. However, the external unit is not always 

modf^-i) (i:i reliable and the communication information ma> be 

However, when It IS defined that )f(r)=l (r) + w (r>-2. changed by a third party. Thus, the requesting side 

Tp and r^ are selected so that cannot detect an invalidity of the requested side and a 

^ ^ change of communication information by the third 

x*V-if<r,i \ ) pany. Consequently, the validity of the server-aided 

becomes a small value; 1 (r) represents the bit length of computation becomes doubtful, 

r: w (r) represents the hamming weight of r: and x(r) ^ SUMMARY OF THE INVENTION 

represents the number of times of the modulo- multipli* ^ ^ - ^ ^ 

c«io« necessary for ihe module exponeniiaoon where ^" °^ P^'*"" mvemion is to proMde a 

^ .,p*rx«*«f server-aided computation method and a distributed 

r 1$ an exponent. ^ ^ ^ _ 

In addition, compute the followmg ei^uations. mformation processing unu for preventmg secret infor- 

45 mation from divulging to a requested side of the compu* 
w^mq 1 mod p) mod <«. tation. for effectively computing the secret information 

usmg the computing capacity of the requested side, and 
ty^^pip^t mod 91 mod 1 u*) for really validating the server- aided computation. 

For example, the RSA cryptosystem can be used both 
InthelCcard, r^r^R,d.p,q.X{n), n.W^ and have 50 for cnciphcnng messages and for generating digital 
been stored. signatures. 
Then, using the following equation instead of d The Tirst invention ti a server-aided computation 

method using a main unit for processing secret informa- 
tion and at least one auxiliary unit for supporting a 
.... . 1 computation that said main unit executes, said method 

the IC card requests the terminal unit to compute M comDrisintt the steps of* 

where C u converted by d' where gyrating d' fr^ a' secret key d' using m random 

yfmC^tnoA A (U> numbers Ri (where i« I m) generated by said main 

unit having secret keys n and d; 
The terminal umt returns M' being computed to the ^ . transferring d' and n from said main unit to said auxil- 
IC card. The IC card converu M' into the plain text M ^^^y """J 

by using the following equation. computing the following equation from a message 

block C in said auxiliary unit 

.W« {( V mod pi'^ mod pi i^^-i.V mod f )^ mod «) 
l»>>modit (17)65 .IfvC^mod t 



^•tfAmedX</i) <15> 



Since r^and r^ have been selected so that the value of computing X using said random numbers R, and n in 
the equation (13) becomes small, the modulo* exponen* said main unit while computing M' in said auxiliary unit: 



.V* VI modi 
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tnnsfcmng M' from siid auJiilitry unit to said mam S«M^mod n where a positive irneger M less than an 

unit: and integer n given by a secret positive integer d v\hich is 

computing a message block M using the following sent to said auxiliary unit ts raised to n-ih pov^cr in 

equation in said tnain unit accordance with an algebraic system w here the given 

5 positive pnme number or a composite number n ts a 
modulus, said method compnsing the steps of: 

— J . separating said integer n into k (k« 1) positive inW- 

TJe ^nd mvent.on « a ^r^tr-vicdcompx^mn " ^^^^ ^ » ^^.^^ 

method using a main unit for processmg secret informa- o y j 

tion and at least one auxiliary umt for supporting a .n . . j i.^i. 

computation that said mam un« executes, said method '° ^ > «'d positive integer d into m- 1) . k 

compnsmg the steps of- non-negattve integers Diy=(do. f,\. ¥p, f „) xsh.ch 

generatmg d' from a secret key d using m random information only for said mam unit and * hich 

numbers R, (where i« 1 m) generated by said mam '^e followmg k sets of equations 

unit having secret keys n and d; ^^ 

transferring d" and n from said main unit to said auxil- <-«>^-f/i^/i -f-J^.i- -u^- imod *.n,.i 
iary unit; 

computing the following equation from a message where j« I k and \(n;) is the Carm.chael function of 

block C in said auxiliary unit positive mieger n) and sets of the following m ^ k 

positive mtegers which are transferred to said auxiliary 

V-C'modit unit 

computing X - * using said random numbers R* and n ^-(^yi. rf/i. ■ rf/«il</- 1. - ^r- 
in said mam unit while computing M' in said auxiliary 

unit; computing Y;,= M^^' mod n where 1=1. ... m and 

transferring M' from said auxiliary umt to said main j - I k in said auxiliary unit and sending the results lo 

unit; and mam unit; and 

computing a message block M using the following (d) computing m said mam unit the following equa- 

equation in said main una tion using k values Y^o^M^^ mod n and above V , 



30 



which have been computed by said main unit 

Sm Yj(rY,fi^ Y/r^- . Y.Jf'^ mod 



The third invention is a server-aided computation 
method using a mam unit for processmg secret tnforma* w here js 1, ... k and obtaining a result S vihich satisfies 
tion and at least one auxiliary unit for supporting a the k simultaneous equations relating to S. 
computation that said main unit executes, said method The fourth invention can be also applied u hen said 
compnsing the steps of*. integer n is a pnme number. 

generating d' from a secret key d' using m random The founh invention can be applied when said inte* 

numbers R, (where ia= I m) generated by said main ger is a product of two pnme numbers. 

unit having secret keys n and d; In the founh invention* since D^is kept secret to the 

transferring d' and n from said mam unit to said auxil- ^ auxiliary unit which supports the mam unit, the auxil- 
iary unit; iary unit cannot know D,/ unless it tries to execute the 
computing the following equation from a message round robin method. Thus, it is possible for the mam 
block C in said auxiliary unit unit to execute the computation without divulging the 

secret information to the auxiliary unit. 

In addition, when the computation speed of the auxil- 
iary unit is satisfactonly high, the required computation 
can be executed at a higher speed than that e.\ecuted 



computing X and X* ^ using said random numbers Ri 



and n in said main unit while computing M' in said . . ^ 

auxiliary unit- ^^^^ 

transferring from said auxUiary umt to said main 50 * of the fourth invention, when m . n 

unit* and non*negaiive integers fyi, xji f;»,are selected to I or 0. 

computing a message block M using M\ X, and X- ». the computation load of the main unit can be reduced. 

In ibe above server-aided computation methods, the , condition where the value d., is defined so that 

auxiliary unit only knows d' and n which have been d.;-d.,is iniposed for at least one^t of integer pairs li. 

open and C and M'. Since the auxiliary unit cannot 53 J> ^> * * ^^'n>- 

directly know the secret key d, it is impossible to devise auxiliary unit executes M-v mod n, it does not need 

a function which causes the auxiliary unit to steal the W*"" mod n and thereby the entire computa- 

secret key d. The section of the compulations for ob- ^ reduced. 

taming X^ X^. or X, that the main unit executes can be "^^ ^'^^^ invention is a dwtributcd information pro- 
conducted independently from the computations that 60 cessing unit having a main umt for processmg secret 
the second unit executes. In addition, by restricting the infomwtion and at least one auxiliary unit for suppon- 
bii length of random numbers r^, and r^. the amount of * computation that said main unit executes, for e.xe- 
the compulation for obtaining X^ and X^ can be re- cM\\n% a distributed process wuhoui divulging conver- 
duced. sion of said secret information other than said main unit. 

The fourth invention is a server-aided computation 65 distnbuted information processing unit comprising; 

method using a main unit for proceuing secret informa- conversion means for executing said conversion of 

tion and at least one auxiliary unit for supponins a input information and reverse conversion means for 

computation that said mam unit executes wherein reversely converting the convenion results; and 
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venrication means for comparing the reverse conver- FIG. 10 is a chart showing a process time charactens- 

sion results of said reverse conversion means with said lie: - , 

input information so as to venfy the conversion resuitt FIG. 11 is a block diagram showing an outline of the 

of said conversion means. fifth to seventh inventions: 

The sixth invention is a distributed information pro- 5 FIGS. 12 and 13 are a process flow chan embodvmg 

cessing unit having a mam unit for processing secret ihe fifth inveniion and an outline diagram showing the 

inrormation and at least one auxiliary unit for support* general structure. ^ 

mg a computation that said mam unit executes, for exe- FIGS. U and 15 are a process fiow chart and aT 

cutmg a disinbuted process without divulging conver- outlined diagram of the general structural example of 

sion of said secret mformation other than said mam umt. 10 another embodiment- 

uid distnbuted information processmg unit comprising: FIGS. K. 17. and 'u are an outlined diagram of the 

a plurality of conversion means for executing said general structural example, a flow chart of an example 

veS«« IIIL"!!.'"^?,™".'*"^^ u «^ P«««»' * "''^ ^h*" °f '"O'her example of 

v.«^«r? I? r J \ ? companng the con- ,he process of another embodiment, respectively. 

iTT fifth °f P'-^'-'y of ~"^«n><'" ""ns 15 FIGS. 19 and 20 are fiow chans shewing inother 

In the fifth and sixth inventions, by companng the embodiment and 

conv^'r.!.?' ".r?!;*"'" """'"r* """^ « 'and 22 are a flow chan of the process and 

mutX cn^^n, 1 „iL,!i '."'•"r " an outlined diagram of the general structural example of 

tnutually companng a. plurality of conversion results. another embodiment, respectively. 

the mam unit can effectively execute the conversion 20 *^ 7 

with a suppon of the computation capacity of the re- DETAILED DESCRIPTION OF PREFERRED 

quested side without divulging the secret information to E.MBODI.MEST 

JSeZ"i!.7cZ'„u».Il!/'''"^'"* '^'^ embodiment of the present invention ,s described 

^1 Jv ^rP"""°" are correct or not. i„ ,he following. For convenience of the descnpnon as 
The seventh invention is a distnbuted mfonnation 2J shown in FIG I. it is assumed that the requesting «de Jf 

rnSi:;!f„"."«A7rJc? ^"^T"^ computation IS the IC card and the reque"Ke o 

^?.^o«„n.".. « .K^ T ^" computation is the terminal. However, the requesting 

ing a computation that said mam unit executes, for exe- ..h* »nd reauMtad c»<* h« fr-.i„ .-^ 

cuting a distnbuted process without divulging conver- Svicw .id X.relJ .h^r«« o '^^hJ „™. « 

SJd"dtn?u::^"';"'°™""°" ^ ^hfemtJm^" s' dScTbed T^" rZ:, 

firi convSZ unit comprising: computation where a cipher text is deciphered to a plam 

..i^" J '° r . . 10 gcncraie a digital signaiure by using the same conver. 

second conversion means for executmg an identity 5,o„^ * 7 « "b "mc confer 

^^rnH?!!^!!^^.^- r u ^ * perspective view of a terminal unit 2. 

T,T*^Tr».,». by c«^, ,h. ,».„ « r*" '■ * ™" 

qS«.S s Je *" ^'^ V. Pon 29. a fioppy disk driver 31. and a 

questea siae. jO keyboard (I/O) 33. each of which is connected via an 

BRIEF DESCRIPTION OF DRAWINGS internal dau bus 35. The display controller 21 controls 

FIG I it > anvMun. ^k.« . „ display 3. The central processing unit 23 controls 

FIG 6 i« J oror«* n««/ ^h.rt «f . keyboard (I/O) 13 is connected to the keyboard 5. 

Fir.s « anH o ^u-...-,. 'V* *nd ^ which satisfy the equations (18) and (19) 

.heTunh^re„'ii?it=^^^^^^ » <« » is obtained. 



terminal; 



'>«it mod 
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r^^R mod I) 



102). The terminal unu 2 computes M' from the cipher 
text C usmg the two pieces of information (in step 103). 



At the lime, as described above* the restriction where V-c'mod 
the result of the following equation is relatively small is 5 
applied. The terminal unit 2 sends Vf' which has been com- 
puted to the IC card 9 (in step 105). 
* ic(r^) CO) On the other hand, the IC card 9 obtains a consiarif=X 
^ , « * according to the equations (24) to (26) along uith the 
.f^r equations (18) and (19) are solved ,o computation in the terminal unit 2 (in step 104). ' 
after Tp and r^ are properly defined. The existing condi- 
tion of solution and the solution are described on pages .r,-(C mod pt'^modc 
3I.J5 of Sadaharu Takagis, "SHOTO SEISLURON 

KOUGI (Elementary Theory of Numbers)", Kyontsu Jr,-(C mod mod « 
Syuppan. The solution of the simultaneous equations is ,3 

uniquely obtamed assuming that L=>LCM (p- I. q- 1) The above equations are computed and X is obtained 

is a modulus. If necessary, the following equations are using the following equation, 
also computed. 



XmUiXpi'P mod p} m^f'^iiX^)'^ mod q\ *,>mod n 'Ibi 

The equations (24) to (26) are supptementarlK de- 



20 

mod fimod n CD scnbid m'th^followm^^ 

A* u J 1 . ^ .. . Although it can be considered that the equations (24) 

fho.1r^ f """^ and (25) are simultaneous equations for X. X uh.ch 

should no be always prepared. In the present embodi- satisfies the above two equations can be uniqueiv ob- 

^IrL !: iL irlL • ^" remainder theorem. The one 

Ir. *,m«ilr, .Ia ft . I. wlution of the equations is the right side of the equation 

co^vUinrK/^^^ '^T'^'^ r^"*!"'' ^2^>- ^ 'he two aux.l.ar> van- 

conversion where d is obtained from d is defined using ^es w* and w - 

the following equation. However, the method for obtammg X which satisfies 

rf--(rf-i?) mod ^«) (22) equations (24) and (23) ts not limited to the above 

method. For example, another solution is represented in 

FIG. S is a process flow chart showing a process of ""l P*8« 905-907 of J J. Quisquater ei al.. 

the terminal unit 2 decipherment algonthm for RSA public-kev 

First, the user faces the terminal unit 2 and then in- 35 <=%P/o*y"«tn" Electron. Lett 18, 21, October 1982. 

sens the own IC card 9 into the reader wnter 7 for the Therefore, the obtainment of X and use of ihe auxil- 

IC card 9 which is connected to the terminal unit 2 (in '^'^ variables w^ and w, by the equation (26) arc not 

step 501) essential. Rather, the obtainment of X which satisfies 

. The user presses proper keys on the terminal unit 2 to ^'ilL!!'* equations (24) and (25) is esseiitial. Thus, this 

inform the terminal unit 2 that the operation thereof is 40 ^01 limit the method for obtaining X 

started. At the time, a clock and power are supplied to "^^^uu is actually accomplished, 

the IC card 9 via the reader wnter 7. After the IC card « A>«hough the plain text M that the IC card 9 needed 

9 IS initialized (in step 502), the IC card 9 enters a com- !? convening the cipher text 

munication waiting state. The terminal unit 2 requires ^ following equation, 

the user to enter the own password to verify whether 45 vr-c'mod /i 

the the user of the IC card 9 is valid or invalid (in step ' 
503) 

\Vh*.n th^ n*«cwrtr^ u ^ / ^ obtained from M' computed by the terminal 

ela^ I it rr^Ll r . cli^^ ^^u"^ ^ X computed by the IC card 9 using the foL 

rX. ''"^^J^^^^^ ««P WSy^ >Vhen the speci- lowing equation (in step 106). 

fled time elapsed, a timeout occurs. Otherwise, the con* 50 \ k ' 

irol returns back to step 503. When the password is .w-(.v-n mod /i i-s) 
entered, the password is transferred to the IC card 9 (in 

step 50tf). The password is compared with the regis- In this example, the computation is executed in the IC 

tercd password stored in the IC card 9 and the com- card 9. The IC card 9 transfers M, which has been 

J?"" transferred to the terminal unit 2 (in step 55 obtained, as the deciphered result to the terminal unit 2 

507). When the compared result U OK (in step 508), the (in step 107). 

IC card 9 becomes a valid sute. When the compared The tenninal unit 2 displays the deciphered result on 

result is not OK. the IC card 9 becomes an invalid suic. the display and writes it to the auxiliary storage unit to 

When the user enters a command (in step 509), whether complete the decipher process sequence. The user re- 

the entered command is an end command or not (in step 60 moves the IC card 9 from the reader writer 7 and com- 

510) IS checked and a command subroutine is executed pletes the operation. 

(in step 5"); In the present embodiment, since the terminal unit 2 

h Vtf ""^'^ command subroutine is described can easily obuin X from M and M' in the process, it is 

m the following. necessary to note that the computation of the equation 

The process that follows is shown in FIG. 1. 65 (28) can be executed in the terminal unit 2 rather than 

fi- -IT?'" ^ transfers the cipher text C to the the IC card 9. In this process, the terminal unit 2 does 

IC card 9 (in step 101) and reads d' and n which have not transfer M* to the IC card 9, Rather, the IC card 9 

been wntten m the memory of the IC card 9 (in Mep iransfen X to the terminal unit 2. 
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In the above process, it is obvious ihit M can be lent to the set is not limited to the method described 

correctly computed using the equation (28) as descnbed above. Another method for obtaining M is described m 

, , . the following. 

,ZTl!!!:J^Tr'!}V^ ^° """" ^""8 '^e followmg two equations, from M. 

tion IS satisfied by ihc Chinese remainder theorem 5 • ^ 

which has been mentioned as (Related Art). v-^. ^ 



JT-C^ mod ' 



129) 



*}4| 



^n.rJM^ following equation is also ,o by computing M> and M',. the following two equations 

are obtained. 



yf m mod 1 • C^'Mlmodi^tmt , 

- C*-* mod a m mod n 



iiO) V^- .W^JTp mod ^ 

I J • yf^Xq mod p 



From the equations (29) and (30). the following equa- 
tton IS also satisfied. 



iH Jf^modi! - (O'C-* C^> mod 1 « O'mod * 
» Vf 



Thus, it is obvious that the equation (28) is satisfied. 

Then, the computation load is considered in the fol- 
lowing. The computations from the equations (18) to 
(22) can be prepared before the conversion is staned. 
After the cipher text is given, it is possible to consider 
the computations only for portions which are execut- 
able. As steps to be executed after C is given. ( 1 ) Obtain- 
mcnt of X by the IC card 9 using the equations (24) to 
(26): (2) Computation of the equation (2J) by the termi- 
nal unit 2: and (30 Computation of the equation (28) by 
the The IC card 9. In the above three steps, the compu- 
tation (2) that the terminal unit 2 performs requires the 
largest computation load. 

Practically, this value can be represented as ;^(d') 
However, when n is 512 bus, a modulo-multiplication 
for 512 bits should be executed 1024 times in the worst 
case. The step that requires the next largest computa- 
tion load is (1). The equations which require major 
computation load in step (I) are the equations (24) and 
(25). They require a modulo-multiplication for 256 bits 
)C(rp)-^X(r^) times. By selecting small values for r^and 

m advance, the computation load can be reduced. 
The computation in step (3) that the IC card 9 performs 
IS a modulo-multiplicaiion for 512 bits one time. The 
major portions of the compuutton load are the compu- 
tations in steps (I) and (2). In the first invention, particu- 
larly note that the step (1) and the step (2) are indepen- 
dent and they can be executed in parallel. For example, 
when a general purpose personal computer ukes 30 
seconds for executing the compuution in step (2), if the 
bit length of Vp and r^ is determined to a proper value 
and thereby the computation time of step (1) executed 
by the IC card becomes approx. 30 seconds, the total 
compulation time for the deciphcnnent could become 
around 30 seconds. When the penods of time necessary 
for the computations in steps (I) to (3) are represented 
as Tl, T2, and T3. respectively, the toul computation 
time T can be generally represented as the following 
equation. 



By simultaneously solving the equations (35) and (36). 
the required M can be obtained. 

Then, as an embodiment of the second rn\cniion. 
according to FIG. 6, the conversion where d is ob- 
tained from d is defined using the following equation. 

rf- mid'^R^ mod kin) 

In the description that follows, the startup of the termi- 
nal unit 2 and the initialization of the IC card 9 are 
omitted. Rather, only the process for the computation is 
sequentially descnbed. It is assumed that R used in the 
first embodiment is the same as that in this embodiment 
Like the embodiment of the first invention, the terminal 
unit 2 transfers the cipher text C which has been input 
from the outside to the IC card (in step 601). The termi- 
nal unit 2 receives d' and n from the IC card 9 (m step 
602). Like the first embodiment, the terminal unit 2 
computes M' which is given in the following equacion 
(in step 603). 

V-C'mod/t 



^ The terminal unit 2 sends M. computed therein back 
to the IC card 9 (in step 607). 

On the other hand, the IC card 9 computes the fol- 
lowing equations (in step 604) 



25 



30 



35 



45 



(32) 



where Max (A, B) is a function which selects a larger 
one of A and fi. 

In the first embodiment, the process for obtaining M 
using the set of .M' and (X^ X,) or using values equivi- 



Xpm\C mo6 mod p 
XqmiC moA ^ mod p 



and obtain X using the following equation (in step 605) 
50 Xm{{{X^)'Pmo<Xp) w^*((jr,)^mod 9 ) »,^mod « ah 

In addition, by solving the following equation 

X" *vr> I mod A {tm f42) 

55 



X- Ms obtained (in step 606). This solution is named the 
extended Euclidean algorithm. For deuils, see the the- 
sis **Gendaj Angou Riron'* descnbed above. 
The value to be obtained by the IC card 9. namelv M. 
60 is expressed as follows. 

.V-C'modii 

This value is obtained from the following equation 
65 using M' which has been computed by the terminal unit 
1 and X-' which has been computed by the IC card 9 
(in step 608). 



13 
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The IC card 9 transfers the result being obtained to the 
lermmai unit 2 and completes the process (in step 609). 

In the following, it will become obvious that M can 
be correctly computed from the equation (44). 

From the equations (35) to (38) and the Chinese re- 
mainder theorem, the foUowmg equation is satisfied. 

X-i -C-*modfl (45) 10 

On the other hand, since M' can be expressed as follows. 



^1 mod ^mr^ 1 ?* I 

Like the embodiment of the first invention, it is also 
assumed that the value of the following expression is 
properly restricted. ^ 



V • mod 1 

- C^-*»-«^*»mod« 

• C***mod<» 

« C mod n 

From the equations (29) and (30). 



As suggested in the equations (54) to 56). it is neces- 
sary to define r,p and r,^ and then obtain R,. 
(46) 13 Using R, obtained in the above manner, each conver- 
sion f, from X to y IS defined. 

20 Using the resultant conversion w here m con\ ersions are 
composed, d. is converted into d'. 



(V jr-*) mod fi 



i<y C-*»mod* 
mod fi 



25 



Thus, it is obvious that the equation (28) is satisfied. 

In the embodiment of the second invention, the pro- jq 
cess for obtaining M using .V(' and the set of (Xp. X^) or ' 
a value equivalent to this set is not limited to the method 
descnbed above. 

For example, by computing using the extended 
Euclidean algorithm in advance, the following equa- }$ 
lions can be computed. 



As the practical definition off,, the folloumg (hree 
types can be used. 

ym t-</l,- 'l mod Ml) I *0i 



ymix-R,\ mod Aiti) 



t «(.T* A.) mod Ami 



leO) 



Jr^~'«(C-* mod p)^moA p 
X^-^m{C~^ mod «)'Vmod f 



(48) 

(4«) 



40 



Using the results, X-< can be computed. M can be 
obtained in the same manner as the equation (40). 
In addition, from the following two equations using 



45 



V^«Vmod^ 



(50) 



(51) 



M> and M', are obtained and thereby the following 50 
equations are satisfied. 



.V^-V^i;"»mod^ 
.W,«V^X,-' mod* 



(52) 

(53) 35 



The equation (59) is the function uhich has been de- 
scribed. The equations (60) and (61) are the functions 
which have been represented in the embodiments of The 
first and the second inventions. By using an> combina- 
tion of the above functions, the server-aided computa- 
tion can be accomplished. 

Like the above example, the IC card 9 sends d w hich 
has been obtained in the equation (58) to the terminal 
una 2. The terminal una J obtains M' from the follo\^- 
ing equation. 

V-C'modi 

The terminal una 2 sends M' back to the IC card 9 The 
IC card 9 obtains M from M' in accordance wuh the Nt 
obtainment process determined by the conversion pro- 
cess of the equation (58). Like the above example, for 
the conversions according to the equations (60) and 
(61). along wah the computation by the terminal una 2. 
the following values necessary for the conversion for 
obtaining M from M' can be computed. 



By simultaneously solving the equations (48) and (49), 
the required M can be obtained. The effect of the sec* 
ond invention is the same as that of the first invention. 

As an embodiment of the third invention, a more 60 
generalized method is descnbed. In the first and the 
second embodiments, the unique random number R has 
been used in the algebraic system where the Carmichael 
function (n) ts a modulus. In the embodiment of the 
third invention, a general format using m random num- 65 
bers R, (i«l, m; m^l) is descnbed. Firstly, it is 
assumed that each random number R, satisfies the fol- 
lowing equations. 



Xp,»{C mod py * mod p 
Xftm{C mod qY *« mod ^ 



1 6/) 



In this embodiment, the method for obtaining M is 
omitted because a can be easily accomplished by apply- 
ing the pnor an and the embodiments of the first and 
the second inventions. 

Therefor, according to the first, the second, and the 
third inventions, the method for accomplishing most of 
the processes of the terminal unit 2 and the IC card 9 at 
the same time is provided and thereby the process time 
necessary for the server-aided computation can be re- 
markably reduced. 
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In addition, according to the fint invention to the The IC card 9 transfers the signature S to the terminal 

third inventions, it '»noi necessary to excessively in- unit 2 (in step 809). The terminal unit 2 records the 

crease the process speed of the IC card, thereby reduc- signature S and completes the signature process 

ing the costs of the terminaJ umi 2 and the IC card 9. In this embodiment, when fi f, are represented .n 

In the following, an embodiment of the founh inven- 5 binary notation (0 or I), the computation of the pouer 

tion IS described. whKh is apparently present in the equation (69> can be 

This enibodiment is descnbed assuming that the IC omitted, thereby decreasing the computation load of t iTe 

card 9 and one POS unit are used as the main umt and ic card 9 

the auxiliary unit, respectively. -n,ere are following three major effects m th.s em- 

The system structure is the same as those shown in 10 bodiment j -n mu em 

FIGS. 2 to 4. The computation section is shown m FIG. < , ) since the secret information of .he IC card 9 ,s not 

Th. tnv»n,.AH k. 1 f directly transferred to the terminal unit 2. the terminal 

can be separated m.o k factors each of which is a pni; 13 f a«m^ ' ^ 

number. Namely, D„. D,70= K 2, ... k) FIG. 7 is shown ^ ^J!"""^ P*"^ to. wiretap the 

m such manner ln this embodiment, firstly! th^aTof '^^^^n ^^<^ card 9 and the terminal 

k« I is described. /iwr «• . w . 

As shown in FIG. 7. the IC card 9 stores a plurality * sufTicientiy high speed terminal unit 2. the 

of positive integers D| «(do, f,. f2 f.] and the open 20 ^I^Twh^h ?!!f I^!" '^T 

information storage section stores D2 = (d|, dj. '^hich executes the modulo^xponentiation com- 

d^J. each of which satisfies the following equation! o"' . . 

• ^ (3) By properly selecting the secret information of the 

<^-rfo*/i rff -Z:-*':- -Ai rf^ (mod m^)) (63) """^ ^' process time can be reduced. This effect 

becomes remarkable when do S 2 and fi f.^are repre- 

w-herc Dl is secret information of the IC card 9 and is rented in binary notation. This embodiment can be also 

structured so that it cannot be normally read from the app*<«l to the key-in-common system proposed bv Dif- 

outside. fic - Hellman. In this case, the differences are thai n 

The user of the IC card 9 generates a modulo- Incomes pnmc number p and 

exponentiation value expressed by the following equa- jq 

tion from the digital information M using the IC card 9 Mump^ \ 

and the terminal unit 2. 

Another embodiment according to the fourth inven- 
5-.ir^mod n (6«) "O" described in the following. 

In this embodiment, like the above embodiment, aen- 

It is a digital sigitature of the RSA cryptosystem. erations of the RSA cryptosystem and a digital signa- 

In this embodiment* a generation of the digital signa- ^^^^ exemplified using the IC card s>stem. h is 
lure IS exemplified. The present invention is applicable necessary to note that in the RSA cryptosystem n is the 
also to the encipherment of the RSA cryptosystem. product of two large prime numbers p and q and n = p q 

The computation process is descnbed in the follow- can be satisfied, 
ing by referring to FIG. 8. ^ In this embodiment, in the IC card 9. a plurality of 

The user mscns the IC card 9 into the reader writer positive integer sets Du=ldio, fu fi-»). Di: = [d-o. 

7 of the terminal unit 2. commands the start of the termi- f:i ^iml and D: = [di d^Jhave been stored, each 

nal unit 2 in accordance with a predetermined sequence, of which satisfies the following equations, 
and enter the message M (in steps Ml to S04). 

The message IS detail of shopping, for example. rf»^io-/ii -/i«»rf-,(mod n ,-o» 

The IC card 9 transfers D:«(di.d2 d-,1 and the 

value n of the modulus to the terminal unit 2 (in steps -/::•</:- -/;m-rf^<mod ;f-I) 

805 and 824). 

The terminal unit 2 computes m y/s using Dj and n ^ Djjarc secret information of the IC card 

received by computation sections 2ai to 2am as en- structured so that they cannot be nor- 

pressed in the following equation. ^^^^ outside. 

The user of the IC card 9 generates a modulo- 
/r-.w*mod iid-i ml (67) exponentiation value expressed by the following equa- 

tion from the digiul information M using the IC card 9 
After that, the terminal unit 2 transfers y, to the IC " terminal unit 2. 

card 9 (in steps 825 and 807). 

On the other hand, the IC card 9 obtains yo from the s- V mod « 

following equation using the secret information do in a _„ ^ . 

compuutton section 9c. ' *how$ process steps for computing the signa- 

60 cure S in the embodiment. 
jQ. w^modii (fti) Since the process steps of FIG. 9 are the same as 

those of FIG. 8 except for the power remainder compu- 
In addition, the IC card 9 obtains the signature S from t*»on section in step 940, only the step 940 is described 
the following equation using yi, y^ received from following. 

the terminal 2 (in step 808). 65 . Firstly, the IC card 9 transfers the open information 

Di to the terminal unit 2 (in steps 905 and 934). 
s^f^z/^n^- W'^ mod i» (69) The terminal unit 2 computes m y/s using D: and n. 

which have been received, from the following equation! 
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^ main unit alone using ehe computation capacity of the 

mod * o« I. m\ (73) auxiliary unit without divulging ihc secret information 

.... - A . to the auxiliary unit, 

stel? Ms'^^iiT?" '""^ ^' ^ " ^ "'^^^^^ determining whether the result ob- 

pswanowT) . _ ^ . 5 tained by the ser\er-aided compuiaiion method de- 

un tne otner nana, tne card 9 obtains y lo ana yjo ^cnbcd above is valid or invalid and the related units are 

r'"' '2" T* ."4'"* '"SST' «1"«"««<1 «he following. 

0,0 »a 020 sioreo m tne ic card » (in step p,o_ ,4 

IS a block diagram showing a system com- 

/io«-V"°mo<ip (74) P^**^ otxYit IC card 9 and the auxiliary unit. FIC.S. 12 

*0 and 13 are a process flow chart embodying the fifih 

invention and an outline diagram showing the general 

jTo«.v^mod» (75) structure, respectively. 

In the IC card 9, deciyption keys of the RSA cryp. 

The IC card 9 computes Si and S2 using yi, .... y^, tosystem have been stored. Now. assume that the keys 

which have received from ihe lerminal unit 2, and yio P« ^ where p and q are large prime numbers 

and ya) from the equations (74) and (75) (in step 908). which arc kept secret to the outside except for the IC 

card 9. The open modulus n is the product of p and q. d 

Ji-no-f/'>>T^^ .. ^V'-fnodp (76) is a secret exponent. The exponeni e and the modulus n 

- rm ^ ^hich structure the open keys may be open to the re. 

52.*^>K".r^ (77) 20 j-^^ jj,^ computation. 

« « . - I I e i. -r-u ^^^^ ^ provided With verification means IB 

Since p and q are relatively pnme, from the Chmese The IC carH o r^rii.^t. rh« r-««.^*i > 

*>«.M«iM/4«* .u iTei-u 1. ineiw cara y requests the terminal unit 2 to execute 

remainder theorem, the number S which satisfies the th# H#rivnrir.« mr, J-«.«« u 

following equations and which is less than n is uniquely o\.' Ty^nxV^^t^^^^ " ' 

determined. The number S is the desired digital s.gna- 25 comnr^^^^^ By a proper se^^er.alded 

5 o a computation method, the requested side of the compu- 

tation obtains the message M which has been converted 
Si«s mod p r%) **** message S of the computation result. U hen the 

conversion has been validly executed on the requested 
S:-5mod* (79) of ^he compulation, it ts necessary to saiisfs the 

following equation. 

Although these equations can be solved in various 

methods, by computing Wp and Wq which satisfy the -V-S'mod n 

following equations 

To check the equation, \^hen generating the keys, u is 
mod (80) necessary to consider the creation method of ihe open 

exponent e. 

»>p(^-'inod*) (81) As well known, when L = LCM (p-l. q-l) is de- 

. . ^ ^med, the value of e can be freely decreased without 

and by storing them m the IC card 9 in advance, S can degrading the safety, if e and L are relatively prime 
be computed from the following equation. ^ The IC card 9 computes M, which satisfies the fol- 

t.ic I*, c lowing equation using S as the result of the serxer-aided 

(5, ir,-5r»r,)modi. ,82) computation m step 1206. This computation can be 

Th* ir r.rH o rra»cr.« c , I . 1 /• cxecutcd by the IC card 9 at a satisfactorily high speed 

3iV?h? lL T^^^^ because the value of e IS small. * ^ 

The terminal unit 2 records it and completes the 45 

signature generation process (in steps 936 to 93$). m -S' mod n 

In this embodiment, the same effecu as (1) to (3) 

described in the above embodiment are accomplished. Then. M' obtained in step 1207 is compared with the 

Panicularly the effect (3> is remarkably accomplished former message. When both of them are matched, it can 

when dioS2 and d»S2 and fu. .... f»«, and fii fj^ 50 be determined that the computation by the terminal unit 

are represented m binary noution. 2 has been validly executed. 

Lastly, the effect of shortening the process time in In the server-aided computation method relating to 

FIG 10*" invention is shown m the conversion f* according to the secret information k. 

Si I , u requesting side of the computation can easily 

The veiiical axis of the chan represents a relative 55 execute the reverse convenionf*-*, this method can be 

value of the process time (assuming that the process generally applied to any other servcr-aided computa- 

time on which the IC card 9 generates a signature by tions as well as the RSA cryptosysiem. FIG. 13 shows 

Itself is I). The honzontal axis of the chan represents a the system structure where the server-aided computa- 

relative value v of the process speed of the terminal unit tion method is generally extended 
2 (assuming that the compuution speed of the IC card 9 60 In FIG. 13, the requesting side of the computation 

A 1 .u i. ^ . . **** information k to the input information x 

Approximately, m the range of 20S v 1000, it is in a first process section 51, computes y « fi (x) ith an 

obvious that the process time of the server- aided com- assutance of a process section 52 on the requested side, 

putation method of the fourth invention becomes short. solves x ^f*-! (y) in a second process section 53. and 

Consequently, accordmg to the founh invention, the 65 compares x' with the input information x in a compari- 

secret information of the main unit such as the IC card son section 54 so as to verify the process result 

9 which operates as the main compuution unit can be Therefore, in this embodiment, since the input infor- 

processed in shorter time than that executed by the mation x and the infonnation x' obtained by the reverse 
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conversion ire compared in the comparison section K equation (88) in step UH, and sends the resultant data 

the server-aided computation can be really validated. 2 = (zi. zi im] to the IC card 9 in step 1412. 

By rcfernng to FIGS. 14 and 15. another embodi- 
mem of the fifth invention isdescnbed in the following. .-,-f"mod^ 
In this embodiment, a serxer-aided computation of a 3 

modulo-exponcntiation m the DtfTie • Hellman type (3) The IC card 9 receives 21 in step 1402 and com- 
key-m-common protocol is described as an example. putes K (Ki) of the equation (89) in step 1403. ^ 

Firstly, the Diffic • Hellman type key-m<ommon 
protocol is described. When the key data is shared be* ^^^^ 
tween the user A and the user B. the following process f ^ * 

is executed. < - » mod p mod p 

As the preparation, it is necessary to generate for a v'"' ) 

user I a secret key x„ compute the open key pi»g" mod « mod ^ 

p, and open pi to the public where p is a pnme number 

wh,ch I* coTir °^ ""t?"°" K^*" " » » 0 «o general 

Which arc common in all users. The user A obtains a positive integers 

common key K^s by the computation of the equation r_ .u;. A,k/^i«,*«# , «.-.k^ p ^ 

(83) using ihe open key of the user B and the own wh«hl, .h. «™ «r .k! .ri^ , 

secret key x^ whether the process of the tennmal unit 2 has validly 

20 *he server-aided computation of the modulo- 

<<*->>r^^«r^* -f* mod rS4i * exponentiation and for detecting the result if it is in% alid 

IS provided. As one example, a method for checking 

The user B obtains the common key YLba by the com. signatures obtained by different separated members 

putation of the equation (86) using the open key pa of ****** server-aided computation protocol 

the user A and the own secret key xa. 23 matched is described in the following. 

(1) The IC card 9 creates two separated members 

'^'modp (86) which satisfy the equation (21) and names them Di and 

Dj. 

Y^BA accords with K^^. In addition, it is difficult to (2) The IC card 9 executes the process of the ser\cr- 
obtam the secret key using the open key because it 30 aided computation using D and obtains the result K| 
requires computing a discrete logarithm. (3) The IC card 9 e.tecutes the process of the serxcr- 

The above key-in<ommon protocol can be accom- aided computation using D: in step 1404. 
phshed by executing the modulo-cxponentiaiion p^'^ (4) The terminal unit 2 receives in step 1413. com- 
mod p where the prime number p is the modulus. putes the following equation m step 1414. 

Next, the server-aided computation protocol of a 33 W,«gY. mod p (ISiSn). obtains the folloume m 
moGuio-exponeniiation where the prime number p is the step 1415, 

modulus IS described m the following. Assume that the W: = (W|, W.. ... W,] and sends the result to the IC 
requesting side of the computation is the IC card 9 and card 9 

the requested side is the teirninal unit 2 which has (5) The IC card 9 receives W: from the terminal un.i 
higher computation capacity than the IC card 9. The IC 40 2 in step 1405 and obtains the result K: in step 1406 

L ZTvttl A^ u*^ * ^^"^^ * ^^^^^'^ in step 1407 

nu^Lr ^r* k„Ln K Ll'T'''' ^ "^^'^^ !f * ^."T^ ^^*" ^^^V «^»«hed. the IC Card 9 determines that 
reau«t.n.^^^^^^^ computation result is valid in step 140«. When thev 

ThTlCcLrdL^^^^^^^^^ ^ «^ "^'^ '"•«hed. the IC card 9 determines that the 

.^^^^.^^^^^ Z ' " ' computation result is invalid in step 1409. 

me equation (b/). This process can be executed bv the t .w • • -^r * . . 

IC cVrd Itself or the center as a key issu^re pJocSs In , J" P^^,^*' u « possible to verify x^hether 

addition. It IS also possible to store this proceS ^ ~e IC ^'^V'""'"*^ ^ '^^^'^''^ the process 

card as secret infoVmation. ^ J?°'^''l'' "^"^^ 1"^° ^7"" *^P»»«d^*hould be 

^ different between them. If they are not different. ^ hen 

j»»xo*/iJii */:jr2*... •f^^ mod p* \ (It) icminal unit 2 computes the equation (88) using g 

as the base rather than g, the results K| and K: are 
where fi is 0 or 1 and xo is a small value. matched. 

F« (f I, fj f«)D« (XK XI x«], and xo are named obvious that the result of the computation of the 

separated members of the key x. 33 equation (88) using g as the base differs from that using 

These x, F. D, and xoare secret information of the IC 8 '^^^ RSA-Sl protocol, which is the ongi- 

card 9. The separation method of the key x is a modifu ^ of the above protocol is a method equivalent 
cation of the method of the RSA-Sl protocol (proposed Xo«0. In the method for venfying the computation 
in the thesis of Matsumoto and Imai. **How to ask ser* result by executing the above method twice, an attack 
vices without violating privacy", 1989 Encipherment 60 method using g' instead of g is present. Thus, xo is added 
and Information Security Symposium Text, February u a separated member of a key. 
1989). The same result can be obtained by other methods as 

The server-aided computation protocol using the key well as the method described in this embodiment. For 
separation is shown in FIG. 14. example, the practical protocol can be generalized by 

(1) The IC card 9 sends D to the terminal unit 2 (in 65 increasing the number of the separated members to 3 or 
step 1401). niore. In addition, when computing K| and K:. it is also 

(2) The terminal unit 2 receives the separated member possible to use a different server-aided computation 
D I m step 1410, computes z, ( I S i S m) of the following method. 
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no. 15 shows a general structure of this cmbodi- tion back to the requesting side one time each for the 

- , . - , - forward ser\ er-aided computation and the reverse serv - 

(1) Lsing first process sections 55 and 56 on the re- er-aided computation. In total, the information is sent 
questmg side and the requested side, respectively, the two times. When the mformation which is sent two 
^""V /J o*''**"^- ^ ' ^hich is not obtained in the ^ alid pro- 

(2) Lsing second process sections 57 and 58 on the cess, the protocol should be structured so that the pro- 
ITr* "^f '"i'^^ respectively, the tocol does not allow the information to be passed to We 
'^."V^ '* obtained. verification. 

59 oi ?hVr«uI^?n- ^ h"""^ comparison section Using an example of the server-a.ded computation of 

2te™.n^^^^^^^ '^'^'I'J^AV '^SA cryptosystem. it is possible to represent that 

An independent server-a.ded compuution method ^1!^?^.'* " ^ * computation load of 

which can be used for such compound type protoS i/ntTi/u^^^^ '" ^'^"^ 

can be selected from those which have been proposed. 15 r iw. .u* *«.k^ ^ . a i^-j u 

Only the server-aided computation method for^. .haV^L ^.n^JT^f T r T "TT-? 

puting modulo-exponentiation necessary for the DifTie - '^*h o w ?h * "de of the computation is ihe IC 

Hellman type key-in-common protocol has been de- ^^11^^ the requested side of the computation is the 

scnbed. In a general server-aided computation, the f™™^^ 

validity of the computation result can be verified by the 20 ^ * vtn J' * practical e.xample of the process 

method described above. For example, for verifying the " xlf '^'rV" u 

computation result of the RSA cryptosystem, it is possi- ^ "fV ?fiS decipher ke> s d. 

ble to use the same method. ^ °' cryptosystem where p and q are 

By referring to FIGS. 16 and 17. another embodi- ^^^^ "^*P* ^^^^ ^ - 

meni is described in the following. The concept of the 23 * exponent, and the exponent e and the modulus 

method described in the following is similar to that of " ^^^^^ structure the open keys may be open to the 

the above embodiment. As outlined in FIG, 16. gencr- requested side of the computation. The server- aided 

ally, when information which has not been convened computation method described in the above embodt- 

and that which has been convened are x and y. respec- '* practically exemplified in the following, 

lively, in the server-aided computation method for the 30 ^^^^ ' knows a random number Ro which 

conversion y = f;c(x) according to secret information k, satisfies the following conditions and uhich is kept 

the conversion process is executed in first process sec- secret to the terminal unit 2. 

tions 60 and 61. When reverse conversion f^r"* is pres- rp=Ro mod (p- I), 

ent. It IS obtained by second process sections 62 and 63. ^2) r^«Ro mod (q- 1), and 

A companson section 64 venfies the fidelity of the 33 of X(rp)-H.x(r,) is relatively small 

requested side of the computation using the reverse card 9 sends d' and n which have been com- 

conversion by checking that x' a f^-i (y) accords with P"^^ ^^^^ ^he equation d' = (d-Ro) mod L to the 

X- terminal unit 2 (in step 1701). The terminal unu 2 re- 

The outline of the protocol is as follows, ccives them m step 1713. computes the equation 

(1) X IS converted using the server-aided computation 40 S'^M'mod n in step 1715. and sends the result to the 
of the forw ard conversion and the requesting side of the card 9 in step 1716. The IC card 9 receives S in step 
computation obtains y. 1704 and obtain S from S— M^-S\ mod n in step 1705 

(2) y IS convened using the server-aided computation above process is the forward server- aided compu- 
of the reverse conversion and the requesting side of the tations. 

computation obtains x*. 43 On the other hand, the IC card 9 has computed 

(3) The requesting side of the computation compares Q« Ri^mod n using another random number R| and the 
X with x' and w hen they are matched. It determines that modulus n. The computation load for computing Qi 
the result y is valid. from R| is large. However, to reduce the computation 

However, in the fint embodiment, the reverse con- load, it is possible to compute Qi in advance using a 

version was applicable only when it could be easily 30 non- busy time of the CPU 15 of the IC card 9. When a 

executed on the requesting side. However, in this em- plurality of random numbers and sets of their powers 

bodimenc, the reverse conversion is applicable, even if are generated in the non-busy time, signatures can be 

the reverse conversion cannot be executed only by the successively generated (or cipher texts can be succes- 

requesting side. To accomplish that, in this embodi- sively deciphered). The set of R| and Qi can be also 

meni. the server-aided compulation is also applied to 33 generated in the manner that firstly R|«Qi'mod n and 

thcrevcrse conversion. Q| have been generated and then R| is assigned. 

The structures of practical forward and reverse serv- A procedure for the reverse server-aided computa- 

er-aided computations should be considered depending tion for determining the validity of S obtained as the 

on individual applications. result of the forward server-aided computation is de- 

It IS necessary to note that the information necessary 60 scribed in the following, 

for the reverse server-aidcd compuution is transferred (I) The IC card 9 computes the product of S and Ql. 

to the outside of the unit on the requesting side of the which is 2-(S.Sl) mod n in step 1706 and sends Z 10 

computation as well as that necessary for the forward the terminal unit 2 in step 1707. 

server-aided computation. Thus, the protocol should be (2) The terminal unit 2 receives Z in step 1717. com- 

structured in the manner that the secret information k is 63 putes WmZ* mod n using the open exponent e in step 

not divulged to the outside except for the requesting 171g. and sends the.rcsult to the IC card 9 in step 1719 

side even if the two types of information are combined. (3) The IC card 9 receives the result in step 1708 and 

In addition, generally, the requested side sends informa- computes V«i(W / Rl) mod in step 1709. 
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(4) The IC card 9 compares V with M in step 1710 
and vkhcn they are matched, xi determines that the result 
S of the fonfc-ard server-aided computation is valid. 

In the follo%Mng. the reason uhv the steps (I) to (4> 
above allows the validity of the forward server- aided 
computation to be determined is described. 

In the step (4) of the reverse server*aided computa- 
tion, to allow V to be matched with M. V = (W / RI) 
mod n should be satisfied, thereby WsM Rl mod n. 
When WseM Rl mod n. it is determined that all the 
server-aided compuiaiion faded- In this protocol, the 
terminal unit 2 knows Thus, even if the forward 
server-aided computation failed, when the terminal unit 
knows Rl in the step (2). it may compute W»M Rl 
mod n and cause the IC card 9 to generate an invalid 
signature. However, since the terminal unii 2 knows Rl 
only when u correctly executes the forward server- 
aided computation, the validity of the forward server- 
aided computation can be determined in the above pro- 
cess. 

By referring to FIC 18. a third embodiment is de- 
scribed in the following. This embodiment can be ap- 
plied to verify a signature of the RSA cryptosystem 
being generated. The concept is that the venfication of 
the forward server-aided computation is performed 
using the server-aided computation of the reverse con- 
version like the embodiment shown in FIG. 12. 

The IC card 9 has obtained u. v. and w w hich satisfy 
the equation (90) using the open exponent e in advance 
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(1) The IC card 9 requests the terminal unit 2 to gen- 
erate a signature without divulging the secret key d to 
the terminal unit d At the time, the parameter w of the 
equation (90) should satisfy the following two condi- 
tions. (Condition I) W^Q (Condition 2) e d 0 are not 
divided by w. 

(2) The IC card 9 sends S which has been obtained as 
the result of the server-aided computation for generat- 
ing the signature in (1) to the terminal unit 2 in step 
1806. 

(3) The terminal unit 2' receives S in step 1816, obtains 
L' of the equation (91) where S is raised to the u*th 
power m step 1817. and sends U to the IC card 9 in step 
1818. 
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t-S" 



(91) 



(4) IC card 9 receives U in step 1807 and computes V 
of the following equation (92) in step 1808. 
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VaC*^* mod I 



(92) 



(5) The IC card determines whether V and the plain 
text M are matched in step 1809. When they are 
matched, the IC card 9 determines that S is the valid 
signature. Otherwise, the IC card 9 determines that 
invalid computations have been executed. 

Consequently, smce VaS'-'^^^'wS' mod n is satis- 
fied, when the terminal unit 2 has correctly executed the 
computation. S»M^ mod n is obtained, thereby 

If the terminal unit 2 has not validly executed the 
computation in the step (1) above and it has obtained S 
IS not valid S. it is necessary to consider whether the 
terminal unit 2 can obtain U which is passed only to the 
last verification. 



M«U*'S*' mod n is the last verification equation. 
Although S'^'can be obtained by the terminal unit 2. it 
IS necessary to lastly obtain L* which satisfies s.M / 
S**^mod n. Namely, v-th root in the modulus n should be 
obtained. Consequently, it is difTiculi to obtain L* w hich 
can pass only the last verification equation. 

When the two conditions for W have not been satis^ 
fied. It is possible to change the structure in the manner 
that only the last venfication equation is passed NMthout 
obtaining the v-th root in the modulus n. 

In addition, in the steps (3) to (5). the secret informa- 
tion of the IC card 9 has not been used. Thus, unless the 
secret information of the'IC card 9 ts divulged by the 
server -aided computation protocol for generating the 
signature used in the step (2). the secret information is 
never divulged. Since a is possible to consider that only 
the step (2) prevents the secret information from divulg- 
ing, the secret information is never divulged through 
these steps. 

In these steps, V«3 and W«2 can be set depending 
on the value of the open key e. In this case, the compu- 
tation amount that the IC card 9 executes becomes 
minimum and the modulo* multiplication is executed 
four times. Thus, when the value of the open key e is 
large, the process time can be beneficially reduced. 

By refernng to FIG. 19, another embodiment is de- 
scribed in the following. 

The IC card 9 has created secret information t which 
is used in the server-aided cpmpuiaiion for the reverse 
conversion in advance. Although t is a random number, 
it IS restricted to the condition \hhere the value of 
>C<t^)-"X(i«) is small as to effectively e.xecute the verifi- 
cation where t^and t^are values defined m the follow- 
ing equations (93) and (95). These conditions are the 
same as those used in the server-aided computation of 
the above embodiment. 



t^mt mod yp~ \ ) 
i^»t mod \) 
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As shown in FIG. 19. assume that the IC card 9 and 
the terminal unit 2 have obtained the signature text S in 
accordance with steps 1901 to 1905 and steps 1912 to 
1915, respectively. To verify the validity of the signa- 
ture text S. the IC card 9 and the terminal unit 2 execute 
steps 1906 to 1909 and steps 1916 to 1918. respectively. 

(1) The IC card 9 computes Y^S' mod n in step 1906 
and transfers Y being computed to the terminal unit 2. 

(2) The terminal unit 2 receives Y in step 1916, com- 
putes Z» Y' mod n using the open keys e and n in step 
1917, and transfen Z being computed to the IC card 9 
in step 1918. 

(3) The IC card 9 computes W«M' mod n m step 
1907 and receives Z being computed in step 1918 from 
the terminal unit 2 in step 1908. 

• (4) The terminal unit 2 determines that Z«W in step 
1909 and advances to step 1901. When determined that 
Z^W in step 1909. the terminal unit 2 determines that 
the steps bemg executed are invalid,, advances to step 
1910. and informs the user of the mvalidtty. 

The modulo-multiplication method of the steps (I) 
and (3) is supplemented in the following. Although 
YeS'mod n is computed in the modulus n. the multipli- 
cation should be executed approximately log:t times. 
When the equation is computed by dividing it into two 
modulo-exponentiations relating to two prime numbers 
p and q structuring the modulus n according to the 
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Chinese remainder theorem, (he computation time can 
be reduced. 

In addition, the number of times of computing the 
multiplication in the modulus p is x(V) that \n the 
modulus q is x(^<i) When t is selected, if (he condition 
where the value of :^(tp)-Hx(t^) is small has been im- 
posed, the computations of the modulo^xponentiations 
of (he steps (I) and (3) can be efTectiyely executed by a 
unit with small computation capacity such as the IC 
card 9. 

When I IS selected to a small value, although the 
computation load of the IC card 9 is r^uced, the IC 
card 9 becomes weak against attacking the estimation of 
t in the round robin method. Thus, it is necessary to 
increase the value of t to some extent. 

In the embodiment in FIG. 19 shows a case where 
this verification method is associated with a special 
server*aided compuution. However, this verification 
method is not limited to the special server*aided compu- 
tation method. 

In this verification method, when the open exponent 
e is a composite number, the reliability of the verifica- 
tion may degrade. 

For example, assume that e is the product of two 
integers a and b. namely. e«a-b. 

If the terminal unit 2 invalidly changes the server- 
aided computation result S to S'asS* mod n, the termi- 
nal unit 2 correspondingly computes Z' = Y* mod n in 
the step (2) of the above verification rather than com- 
puting Z' « Y* mod n. In this case, since Z' that the IC 30 
card 9 has obtained becomes M' from the deformation 
of the following equation, the terminal unit 2 succeeds 
in passing the verification. 
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violating privacy". 1988 Encipherment and Information 
Security Symposium Text, February 1988) is described 
in the following. 

[l]The IC card 9 obtains the convened result S of the 
plain text M in accordance with the following protocol 
without transfcrnng the secret key d to the terminal unit 
2. ^ 

(I) The IC card 9 separates the secret key d as ex- 
pressed in the following equations. 



15 



20 



Z m mod ii 

- S*'* mod 1 
« S««modn 
« (S«*)' mod n 

- 5" mod 1 
« W mod 



where 

F and G are binary values. (Generally, f, and z, can be 
positive integers) However, the expression We"ight (F) 
* Weight (G)-x(<l^^>*X<do;r)SL should be ^^an^led 
(where L is a parameter which is determined b\ the 
-5 degree of safety). 

d, d«^ F, and G are secret information of the IC card 
9, As descnbed below, since the terminal unit 2 cannot 
know dep. dcqy F, and G via the protocol, it cannot 
obtain the secret information d. 

(2) The IC card 9 sends the modulus n and D to the 
terminal unit 2 (in step 2001). 

(3) The terminal unit 2 computes ihe following equa- 
tion and sends the plain text M and Z to the IC^card 9 
in step 2014. 

Z,-.H^'mod inSr Sm» 

40 (4) The IC card 9 computes Spand S^of the follovung 
equations in step 2004. 



This attack method succeeds only when e is a com- 
posite number, the factorization in pnme factors is 45 
known, and the result of the server-aided compuution 
can be changed so that S «S» mod n is satisfied. Thus, 
when a pnme number is selected for e, this attack 
method fails and the verification becomes effective. 
Even if e is a pnme number, the degree of safety of the 50 
RSA crypcosystem does not degrade. 

Next, another embodiment is described in the follow- 
ing. 

The protocol that follows is valid only when the 
computation load in the reverse conversion is targe to 55 
some extent, namely, the value of the open exponent e is 
large. This method is used to prevent the Hastad*s at- 
tack in simultaneous transmission (J. Hasted, **On using 
RSA with low exponent in a public key network". 
Crypto 85. pages 403-408, 1985). to increase the value 60 
of e more than that of logn as to allow any plain text to 
be folded in the modulus n more than one time, and to 
become the open exponent e common in all the users by 
defining the quanic Fermat's number (»2>*-f- 1) to e. 

By refernng to FIG. 20, a protocol which uses a 65 
server-aided computation method which is a modifica- 
tion of the RSA-S2 protocol (proposed in the ihe?is of 
Matsumoto and Imai. "How to ask services without 
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By combining S^ and S, using the Chinese remainder 
theorem (CRT), the result S is obtained. 

(2) The IC card 9 separates the open key e as ex- 
pressed by the following equation. 

(31 The IC card 9 computes U of the following equa- 
tion and sends U and e" to the terminal unit 2 in step 
2005. 

VmS^ mod n 

[4] The terminal unit 2 computes V of the following 
equation in step 2016 and sends V to the IC card 9 in 
step 2017. 
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(5IThe rC card 9 computes W of the follovwing equa- 
tion in step 2008. 

W.SVmodn ^ 

(6)Whcn W and M are matched in step 2009, the IC 
card 9 determines that S is a valid signature. When they 
are not matched, the IC card 9 detects in what part of 
the protocol an invalid process has been executed. 

In evaluating the safety of the above method, when 
the terminal unit 2 has validly executed the computa* 
non. It IS obvious that the IC card 9 determines that "the 
terminal unit 2 has validly executed the compuutton." 

Then, it is necessary to consider whether the terminal 
unit 2 can pass the last verification and change S to an 
invalid signature or not. The venfication equation of 
this embodiment is expressed as follows. 



e«u<'-rv. when (e, u)» I. for protocols except for the 
KS method, the signature can be stolen.) When the 
modified method of the S2 protocol ts used, the same 
type of the attack method has not been known. 

The modified method of the S2 protocol described in 
this embodiment contains both the KS method and ijj^ 
S2 method as a special case. In other words, the separa- 
tion method of the secret information in the modified 
method accords with the S2 method when d<y = du9=0 
is satisfied in the following equations. 



MaS-V mod n 



Generally, to obtain V which satisfies the above 
equation, tt is necessary to obtain the result S of the 
server-aided computation (I). However, since the result 
S which has been raised to the second power is sent -3 
back, it is difficult to obtain S from the value being 
received. Although it may be possible to obtain the 
result S along with S- which is sent back (3]by properly 
selecting Z which is sent to the client in (!]. (3), it has 
not been known, thus far. The secret information which 30 
is newly added to the server- aided computation proto- 
col for the verification is only the result S of the server- 
aided computation method (I). All other information 
can be obtained by the terminal unit 2 alone. In the 
server-aided computation method [1], even if the result 35 
S IS open to the public, it seems that the secret keys of 
the clients may be not divulged. Thus, it is supposed 
thai the secret keys will not be divulged via tl)to (6), 

On the other hand, in this embodiment, the computa- 
tion toad can be generalized by separating the open key ^ 
e into the form of ucVv. However, as descnbed 
above, since e is an odd number, it is possible to set us 2 
and v = l. In this case, the computation. load of the IC 
card 9 necessary for the verification becomes minimum, 
namely, only twice multiplication in the modulus n. The *5 
communication data amount is around 1024 bits. Thus, 
for example, when e is a quartic Fermai's number, if the 
commumcation time and the server's process time are 
Ignored, a high speed verification which is approxi-' 
mately 8 times that m the direct method can be accom- 50 
plished. 

In this embodiment, the feature is that the result S of 
the scrver-aided computation [I]is not transferred to the 
terminal unit 2. However, depending on the server- 
aided computation protocol type used in [t], it is posst- 
ble to pass the verification protocol (2]to (6]described 
above. In other words, when the KS method descnbed 
in the thesis "Secret Conversion of RSA Cryptosystem 
Using Server-Aided Computation" (1989 Encipher- 
ment and Information Sccunty Symposium Text, Feb- ^ 
ruary 1989). the method described in the thesis "How to 
ask services without violating pnvacy'*, (1989 Enci- 
pherment and Information Secunty Symposium Text, 
February 1989), or the RSA-SI/S2 protocol (ditto) is 
used in the server-aided computation section, if the 6^ 
terminal unit 2 can successively generate information to 
be sent back to the IC card 9 in (1), it can know the 
result S of (I) by using U of (3). (In the general form of 
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On the other hand, when f, = g,= 1 is satisfied and other 
(, and gt are all 0, the modified method becomes the KS 
method. However, as descnbed above, in the KS 
method, there is an attack method where a random 
result of the server-aided computation is sent back and 
the last verification equation is passed and thereby the 
terminal unit 2 can steal the signature. 

Against the modified method, the same tvpe of the 
attack method has not been known. Thus, it Cdn be wid 
that the modified method of this embodiment is superior 
to the KS method and the S2 method \fchen also consid- 
enng the verification. 

From the fact descnbed above, the meaning of the 
separation method of the secret information in the mod- 
ified method can be explained. The terms d.^^ and d.^ 
prevent the signature from being stolen. The terms 
fidi-^f:d2*...-rf«,d^ and gidi ^g:d:-... -g^d^ pre- 
vent the attack method where a random result of the 
server-aided computation is returned and the last Kcrifx- 
cation IS passed. 

In addition, in the modified method, the number of 
vanables is greater than those of the KS method and the 
S2 method (in the KS method, two vanables d^pand d.j^f 
are used; in the S2 method, tow vector vanables F and 
G are used; while in the modified method, four van- 
ables do^ dog. F. and G are used). Thus, the parameters 
can be more flexibly selected depending on the process 
speeds of the IC card 9 and the terminal unit 2 than 
those of other methods. Assuming that the communica- 
tion time between the IC card 9 and the terminal unit 2 
can be ignored, when the process speed of the terminal 
unit 2 is very fast, in the S2 method, the process time 
can becomes the shortest. When the process time of the 
terminal unit 2 is relatively slow, the process time of the 
KS method is the shortest in these methods. The modi- 
fied method described in the embodiment is in the mid- 
dle position of the above two methods. 

Then, an emboditnent of the seventh invention is 
descnbed in the following. 

As described above, when the requested side of the 
computation has validly executed the conversion, the 
followmg equation (93) should be satisfied for M and S. 



The IC card 9 separates the secret key d as expressed 
in the equations (96) and (97). In addition, the IC card 9 

computes the equations I-pi, 12 i.vl and J«j„ j: 

j k] which satisfy the equations (98) and (99). This pro- 
cess can be executed by the IC card 9 or the center as 
the issuance process of the key or they can be also se- 
cretly stored in the IC card 9. 
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d^d^*t\d\ - - mod (f- n 



{9T> 
(99) 



15 



20 



where do^ do^, h^^ and ho^are small values. Ds[d|, d2, 

... dm). F«[f,. fj M. G- [gi. g2, ... g«], ij, .... '° 

U]. Js[jj, j2, j^]. d<^ and ho, are named 

separated members of the key d. These d, G. F, I, J. do^ 
do^ h«^ and ho, become the secret mformation of the IC 
card 9. 

The server-aided computation protocoi including the 
verification function using the key separated members 
(signature generation usmg the RSA cryptosystem) is 
shown in FIG. 21. 

(1) The IC card 9 sends D to the terminal unit 2 (in 
step 2101). 

(2) The terminal unit 2 receives the separated mem- 
bers in step 2 1 10, computes 2, M*'' mod n ( 1 2 i ^ m) in 25 

step 2111. and sends the result Z»{zi, zi Zm] to the 

IC card 9 in step 2112. 

(3) The IC card 9 receives 2 in step 2103 and com- 
putes the following equation using the separated mem- 
bers F, G, do|s and do, in step 2104. When the terminal 
unit 2 has not committed an invalidity, the result of the 
computation is expressed as follows. 



I » *i" mod p mod p 

i/mod^ 

^ » mod f j.W*^ 



" M mod p 



mod f 



• U mod f 
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^ mod p * 

I-' ) 

- Vf* mod p 

( " ^ 

ir jf' mod q 

K'" ) 

■W* mod 9 



W**Wmod^ 



Vf^ mod q 



Then, by using the Chmese remainder theorem, with 
Sp and S,, the signature is obtained. 

When the values of Tand G,are limited to 0 and 1, the 
computation of 



r 

jf mod( 



Then, using the Chinese remainder theorem vwith 
and W,, W is obtained. 

(♦) The IC card 9 compares M with W m step 2106. 
When they are matched, the IC card 9 determines the 
validity of the signature S (in step 2107). When they are 
not matched, the IC card 9 determines that S is invalid 
(in step 2108). In the above process, the IC card 9 can 
determine whether the signature S has been gencraicd 
by the valid process of the terminal unit Z. When the 
signature S has been generated in the \alid proces* of 
the terminal unit 2. the IC card 9 has place trust m the 
validity of S. 

In evaluating the safety of the above process method, 
when the terminal unit 2 has validly executed the com- 
putation. It IS obvious that the IC card 9 determines that 
"the terminal unit 2 has validly executed the compula- 
tion." 

Then, it is necessary to consider the possibility of a 
case where the terminal unit 2 can pass the last verifica- 
tion equation and change the result S to an invalid sig- 
nature. Assume that W = M is the last verification equa- 
tion, W is generated by usmg the secret information I. J. 
35 p. q. ho^ and ho, which are known only by the IC card 
9 m step 210s in FIG. 21. The terms hop and h«, ser\ e to 
prevent an attack method for passing the last verifica- 
tion equation when the terms of udt-.-.-ud^ and 
Jidi-»-...-rj«,dm are computed using a random server- 
40 aided computation result. Thus, it is difficult for the 
terminal unit 2 to obtain the separated member 2 s^hich 
passes the verification equation when a signature which 
IS generated using 2 which has been received by the 
terminal unit 2 is invalid. 
45 In addition, the terminal unit 2 cannot know d<^ do,. 
F. and G via the protocol, it is impossible for the termi- 
nal unit 2 to know the secret information d. 

The above separated members can be categonzed as 
the following (I) to (4) depending on whether or not 
50 there are common portions between F and G and be- 
tween I and J. 

(1) When the term h-h 1 to the term k of F and G are 
the same as those of I and i. respectively: 



55 



f-t/l. - A/**! /a.0.»,0} 



can be executed without using powers. 

Then, a method for determming whether the terminal 
unit 2 has validly executed iu process as to determine ^ 
the validity of the signature S is descnbed in the follow- 
ing. 

(1) In step 2105. the IC card 9 computes the following 
equation using 2. which has been received from the 
terminal unit 2 in step 2103. and the separated members 
I and J. When the terminal unit 2 has not executed an 
invalid computation, the result is expressed as follows. 



C"{ii tk*\ 



Sk, u*i 

I imi 
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(2) When the first k terms of F and I are the same as 
those of G and J, respectively and the values of the term 
k^ I to the term m of F and G are all 0: 

F^{f\> .../i,0.-.0> 

14, a ^,0} 



/-{/|. U.I im) 

/-(fl #4* /m} 

(}) When (he first k terms of F and I are same as those ' 
of C and J. respectively and the vaJues of the term k-^ I 
CO Che term m of I and J are all 0: 

''-(/i A/k,i A> 

10 

/-{/i A 0.^0} 

(4) When there are no same terms between F and G 
and between I and J: 

f'iTi A. 0.^0} ,Q 

/-{0._0.u.,. ... I,) 

Then, consider the method for generating the sepa- 
rated members of the above (!) to (4). 

(1) is a general form which contains both common 
terms and non-common terms between F and G and 30 
between I and J. In this method, since the information 
necessary for the server-aided computation and the 
venfication is transferred in one communication session, 
only the requesting side of the computation know s w hat 
terms are used for the verification. Although all the 33 
terms of 2 necessary for generating the signature are 
not checked (in other words, when I and J are interpo- 
lated with Z. the product of the terms whose value is 0 
in I and J and the corresponding terms in 2 is 0. Thus, 
even if the terms in 2 are invalidly changed, it cannot be 40 
determined), this method can satisfactorily prevent a 
sharpshooting which passes the venfication equation 
even if zi is invalid by combining two pieces of informa- 
tion, for example, by changing terms which are not 
verified into invalid values or by separately sending and 45 
receiving the information for the server- aided compu- 
tation and the information for the venfication. 

(2) allows all the terms of 2 necessary for generating 
the signature to be checked, thereby preventing the- 
sharpshooting descnbed above in this separation 50 
method. 

In (3), W which is compared with M for checking the 
validity is present during generating the signature. 
Thus, if 2 is an invalid result, it is possible to check the 
validity of 2 before obtaining the signature S. In addi- 55 
tion, since an invalid signature is not generated, the 
compuution load can be reduced. When the separated 
members are generated in such a manner, although all 
the terms of 2 necessary for generating the signature 
arc not checked, this method according to the present M 
invention allows the sharpshooting described in (I) 
above to be satisfactorily prevented. 

In (4), although all the terms are not checked, the 
method according to the present invention allows the 
sharpshooting described in ( 1) above to be satisfactonly 65 
prevented. 

FIG. 22 shows a system structure which is generally 
extended. 
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In FIG. 22, the requesting side of the computation 
adds the secret information k to the input information x 
in a first process section 71. executes the pre-process of 
y»ft (x) and x'=gA (x) ^iih an assistance of a process 
section 74 of the requested side, and obtains the process 
result in a third process section 75. After that, the re- 
questing side executes the post-process of x' = gx (x) to 
obuin X in a second process section 72, compares x' 
with X in a comparison section 73. and then xcnfies the 
process result obtained in the third process section 75. 

Thus, in the seventh invention, the companson sec- 
tion 73 compares the input information x \Mth the infor- 
mation x' obtained in the second process section 72 and 
checks the computation result. 

Consequently, according to the fifth, sixth, and sev- 
enth inventions, when the conversion relating to secret 
information is executed separately by a pluralits of 
units, the secret information is not divulged to other 
than a specific unit. In addition, the conversion is exe- 
cuted with an assistance of the computation capacti> of 
the requested side. .Moreover, since a disturbance of'ihe 
computation committed by the requested side and/or 
the third pany can be detected, the server-aided compu- 
tation relating to the secret information can be much 
precisely executed. 
What is claimed is: 

1. A server-aided computation method for computing 
d-ih power of integer C modulo n using a main unit for 
executing said computation with secret key d and at 
least one auxiliary unit for supporting a computation 
that said mam unit executes, said method comprising the 
steps of: 

generating d' from a secret key d using m random 

numbers R, (where i»l m) generated b> said 

mam unit having secret keys n and d: 
transferring d' and n from said mam unit to said auxil- 
iary unit: 

computing the following equation from a message 
block C in said auxiliary unit 

AT « C' mod *i 

computing X using said random numbers R and n in 
said main unit while computing M' in said auxihars 
unit; 

transferring M' from said auxiliary unit to said mam 
unit: and 

computing a message block M using the following 
equation in said main unit 

Mm\rx mod <r. 

2. A server-aided computation method for computing 
d-th power of integer C modulo n using a main unit for 
executing said computation with secret key d and at 
least one auxiliary unit for supponing a computation 
that said nuin unit executes, said method compnsing the 
steps of: 

generating d* from a secret key d using m random 

numbers R, (where i» 1 m) generated by said 

main unit having secret keys n and d: 
transferring d' and n from said main unit to said auxil- 
iary unit; 

computing the following equation from a message 
block C in said auxiliary unit 

V-C'mod tt 
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' computing X"* using uid random numbers R,and n 
m said main unit while computmg M' in said auxil- 
iary unit; 

transferring M' from said auxiliary unit to said mam 
unit; and 

computing a message block M using the following 
equation in said mam unit 



MmmX" 



' mod n ' 



3. A server-aided computation method for computing 
d-th power of integer C modulo n using a mam unit for 
executing said computation with secret key d and at 
least one auxiliary unit for supporting a computation 
that said main unit executes, said method comprising the 
steps of: 

generating d' from a secret key d using m random 

numbers R, (where is 1 m) generated by said 

. main unit having secret keys n and d; 

transferring d' and n from said mam unit to said auxil- 
iary unit; 

computing the following equation from a message 
block C in said auxiliary unit 

V-C^modn 

computing X and X - » using said random numbers R, 
and n in said main unit while computing M' in said 
auxiliary unit: 

transferring M' from said auxiliary unit to said main 
unit: and 

computing a message block M using M\ X, and X-i. 
4. A server-aided computation method for executing 
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a computation to raise a positive integer M to the d-th """"Ill for executing a distributed pro 

power modulo n, using a main unit which has iecre" ""'It Z''^'"'!' disclosing said secret information neces 



power modulo n, using a main unit which has secret 
information d and at least one auxiliary unit for support- 
ing said computation, said method comprising the steps 

of: 

(a) decomposing said integer n into k (k^ I) positive ^ 

factors rtj (where j« I k). which are relatively 

prime to each other; 

(b) decomposing said positive integer d into (m-*- 1) k 
secret mtegers Diy«(d/), f^u fy7. .-i (jm] (for j» 1, 
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5. The server*aided computation method of claim 4 
wherein said integer n is a pnme number. 

6. The server-aided computation method of claim 4 
wherein said integer is a product of two pnme numb^Fs. 

7. The server-aided computation method of claim 4 
wherein each of m x k non-negative integers fyi. f-, . . 
fjm is I or 0. 

«. The sever-aided computation method of claim 4 
wherein values d,/ are defined so that they satisfy a 
condition dy«dyrat least for one set of integer pairs (i, 
j) and (u, V) where u j. u and v are arbitrary subscripts 

9. A distnbuied information processing unit having a 
mam unit for stonng secret information and at least one 
auxiliary unit for supporting a transformation that said 
main unit executes, for executing a distributed process 
without disclosing said secret information necessary for 
said transformation to other than said main unit, said 
distnbuted information processing unit confipnsmg 

transformation means for transforming input informa- 
tion inverse transformation means for inversely 
transforming the transformation results, and 

verification means for comparing the inverse trans- 
formation results of said inverse transformation 
means with said input information so as tp verify 
the transformation results of said transformation 
means, said mam unit having said verification 
means. 

10. A distributed information processing unit having 
a mam unit for storing secret information and at least 
one auxiliary unit for supponing a transformation that 
said main unit executes, for executing a distributed pro- 



sary for said transformation to other than said mam unit, 
said distnbuted information processing unit comprising 
a plurality of transformation means for executing said 

transformation of input information; and 
verification means for mutually companng the trans- 
formation results of said plurality of transformation 
means, said main unit having said verification 
means. 

11. The distributed information processing unit of 



kwrnr«<,n«i^«..- CT. \4 v'^i ^'-^ J - «— . i». I nc oistnoutea information processing unit of 
k) stored m said mam unit and m x k public mtegers 45 claim 9 wherem said secret information is not disclosed 

i^lt ^iQil* a/) d.^lflsl — ;-i ^ 1: . . 



D:/«[dyi, d/r .... dyi„)0»l k) 

w hich satisfy the following k sets of equations 

where j« I k and X(n,) is the Carmichael function of 

said positive integer n/; 

(c) computing in said auxiliary unit Yy,=M*<^ mod n 

>« 1 m and j« I k and sending the 

results to said main unit; and 

(d) computing in said main unit the following k values 
Sj using Y/)« M*W> mod n and Y^, which have been 
computed by said main unit; 

V**Y,2^ fjJ^ mod n; 

where j«=l, ...k and 

(e) obtaining a result S which satisfies the k simulu- 
neous equations concerning S as follows: 



to said auxiliary unit and distnbutively processed in said 
mam unit and said auxiliary unit. 

U. A distributed information processing unit having 
a main unit for stonng secret information and at least 
50 one auxiliary unit for supporting a transformation that 
said main unit executes, for executing a distnbuted pro- 
cess without disclosing said secret information neces- 
sary for said transformation to other than said main unit, 
said distributed information processing unit comprising: 
33 first transformation means for executing said transfor- 
mation of input information; 
second transformation means for executing an iden- 
tity transformation: and 
comparison means for comparing the transformation 
60 , resulu of said second transformation means with 
said input information so as to verify the transfor- 
mation results of said first transformation means, 
said main unit having said comparison means. 
• • • • • 
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ABSTRACT 



A cryptosystem for the RSA cryptography which cal- 
culates CeM' mod n and, for this calculation, performs 
an operation C>bM| XM2 mod n. An operation 



X A. 



Vv« Af 1^ - ■»6/x • 2^ ^tOij^iii^ 

« 0, and « «■ 0 or I. 

is performed in the order j>-l, 1—1, ... I to obtain last 
Ri as the result of the calculation Mi XM2 mod n. The 
calculation 



is perfonned in a quotient calculating unit, and the cal* 
eolation MiXM2^'-h2^1^4i— is performed in a 
main adding unit. Where, , variable R/ may be divided 
into two parts Ry^ and Ry.i. In this way, the multiplica- 
tion and the division are simultaneously conducted, 
thereby to raise the calculation speed. 

22 CUims, 186 Drawing Figures 
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instead of e. In the case where the RAS cryptosystem 
CRYFTOSYSTEM which performs such encryptioo and decryption as 

described above should be implemented through iitiliza* 
BACKGROUND OF THE INVENTION ^^n of the LSI technology as of CMOS, nMOS and so 

The present invention relates to a cryptosystem for ^ forth, the circuit scale of the cryptosystem would be on 
endphering message or information used in ordinary the order of 100 to 200 K gates. Since the integration 
communications and in electronic computers and dect- density of prior art LSIs is in the range of 10 to 30 K 
phering the cryptogram and, more particularly, to a gates per chip, implementation of such cryptosystem is 
cryptosystem for encryption and/or decryption » « dlfTicult 

public-kcy cryptosystem in which an encryption ^ ^ To avoid such diflicuhy. a cryplo-LSI of a micropro- 
may be publicly revealed. . ^ gram control system, having a circuit scale of about 

In the pubhc-key cryptDsystcnu different keys are ^ ^ proposed in R. L. Rivest "A De- 

employed for encryptKH. and decrypUon and anyone ^.S^, g^eS^^ of theRSA 

can encipher a naessage using a publicly revealed en- _ r^^. * uicv."* 
cryption key buTonlp the^ver can decipher an " Pubhc-Key CrypUjQjstm". Nationa^ Tdea>^ 
endpbeitsd message nsing a privately held decryptkm tion Conference. 1980, Conference Record Vol. 3 of 4. 
key, whereby to ensure privacy communications. pp 49.2. 1-4W.4. This crypto-LSI is impractk»l since its 
Known as such a public-key cryptosystem is the RAS computing speed fot cryptography is as low as \JK 
cryptosystem proposed in R.L. Rivest etal. "A Method biu/s. Furthermore, since the encryptioo key of the 
for obtaining Digital Signatures and Public-Key Cryp- ^ RSA cryptosystem has a fixed length of 512 bits in this 
tosystems**. Communications of the ACM, February crypto-LSI. no procedure for cryptography can be 
1978, Vol 21, No. 2, pp 120-126. carried out in the case where the length of the encryp- 

An encryption and a decryption procedures ate rep- example, 256- or tQ24-bit. 

resented by the following congruence expressions: ^ ^ described above, in this cryptosystem, the calcuU- 

Encrypte: c-d^' nod n (1) R"Mi XM2 mod n is conducted a number of 

times. In the past, this calculation has been performed in 

DeerypiioB: M^^mod a the same manner as ordinary multq>lication and divi- 

sion; namdy. Mi XM2 b obtained by sequential multi- 
^ere C. M, e, d and n are all integers, C a rq»resenta- 30 plications in an ascending order starting with a least 
tion of a cryptogram as an integer, M a representation of signiHcant digit at first and then the muhiptication result 
a plain text as an integer, e and n an encryption key, d divided by n sequentially in a descending order start- 
and n a decryption key and eg^d. In the present mven- ^ ^ «gnificant digit Therefore, this cryp- 

Uon all the variables excq>t control signals are mtegers 1,^. *k«^-f-^ *K.t *k« w 

and are represented by2^mplement The valucBM^^ « tosj««i has fht defect that the computmg tune n 
^«^^fJ^enhancSie« of security m^ly long due to «kA sequentnd multip^^ 

tion capabilities, as follows: n«10>«>to 10«», e«IO»to dnwin. 

IQJOO and d « 10» to 10ia>. The encryption procedure, SUMMARY OF THE INVENTION 

Le. a calculation of the remainder C when M'is divided 

by n. is carried out in the manner described betew. ^ It is therefore an object of the present invention to 
Here, Mi, Mi, R and C are variables. Preparation: Let provide a cryptosystem which can easily be fabricated 
e be represented by as an LSL 

Another object of the present invention is to provide 
k a cryptosystem which permits high-fipeed encryption 

'",io"** 45 and decryption. 

Yet another object of tfie present invention is to pro- 
where ef-*0 or 1. ^ j vide a cryptosystem at low cost in which the lengUi of 

Step I: Set the variable C to 1. an encryption and/tv decryption kiey can be selected 

Step 2: Execute steps 2a and 2b for i»k,k- 1,..., 1,0. over a wkSe range, such as 1 bite (1 bei^g a constant), 24 
Step 2a: ^ bits and a-1 bits (a being an integer). 

MisCMi^C Since the encryption and the decryption are identical 

RwMiXMi mod n procedure Mdth each other as described previously, 

^™ the following description will be given of the encryp- 

\?^e/sl 55 t>on iwoccdurc akMie. 

M ^ M M According to the present invention, the calculation in 

f 1m% Mz mod n aforementioned step 

StSlflUt R-M,xMa«o-o O) 

In the above stqss the equation symbol means to « . • *u««w Th* 

•ct the value of the right ride to the variable of thcleft » performed in the maMwdera^ 

^ ablese,n,M»CMiaiidM2aienoD-iieganveiiitegen, 

Thus the encryption procedure of the RAS cipher, and, m the following description, these characters are 
that is. computation of C-M«mod n, is completed. This used to represent rignals req)ectively correspond- 

calculating procedure wiUheremafter be caUed an -ex- 65 mg to the variabks. For instance, the variable Mi i» a 
ponentiation p^)oedure^ rignal Ma, too, and a variable £49- 1)+/ 0-0^ If 2, 3) is 

As will be seen from comparison of Eqs. (1) and (2), a signal fi4(^-i)4-/0='Qi U % 3X toa The variable Mats 
the decryption procedure is simiiariy performed using d divkied mto 1 groups by stqss of X bits as follows: 
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(4) 



where j, R/and Qjm variabtes. 
Step Q R/^isO 

Step © Set 1—1, ... 1 and perfonn the following 
operations: 



Cjr'lCJ^/ly+i+Wi.Afv)*-] 



(5) 
(«) 



13 



Step 3 Halt (Rt^MtXM} mod n) 
Here, [x] represents the largest possible integer equal to 
or smaller than x. For instance, [1.0]sl, [l.S]sl. 

1.5]« —2 and so forth. By multiplying the both sides 
of £q. (€) by 2(^"i)^ and obtaining, for each side, the 
sum of the results of the muhiplications for all j» 1 to 20 
jsl as shown by the following equation, it is proved 
that this calculation method is correct 



J— 1 J"l -r ^ 



23 



The addition and the subtraction in Eq. (ti) can be 
performed at high speed using a carry save adder 
(CSA). Since the variables R/+u Mi and n are ex- ^ 
tremely large, however, the calculation of £q. (5) is 
liable to take too much time; therefore, it is preferred 
that the calculation of these equations be performed by 
using various approximations described hereinafter. 
Here, since the carry save adder has two outputs, Ry is 
divided into two as follows: 



1 



(7) 



For high-speed calculation of Q/^ a constant of m bits is 
omitted from the low-order sides of all the variables in 
£q. (5), and all the variables have been represented by a 
2'5 complement as mentioned before. Q/is approximated 
to Q^-' by the omission. 



where 

Ma - "JiJ «|. 2*. My m aw-i)K^.,. 2^ 



(SO 



4 

-continued 



where 



(11) 



;y-.x^l(2^.R>+v).2— n + 



10 



P<' + (b.2-'T1 
■^^Oto^;y•<0 



An error resulting from this close approximation cannot 
be made zero but can be reduced. By optimal selections 
of the constants m, S and u, errors yy md yy can be 
reduced as follows: The reason will be described later. 



<V - py* X V X 2-1 + t 



(10) 



Q*V QV + TV » 0 or I 



(12) 
(13) 



A concrete description will be given of the case of 
performing the operation RvMiXMj mod n by the 
abovesaid close approximation. Since M and n are, for 
example, about 10^ which is roughly equal to 2^ as 
referred to previously, each variable b represented by a 
binary number of 512-bit length. 

The following conditions are set, by way of example: 



2"! < ii< 25" 
OS Mi<n 
0 S Ml < o 



40 



43 



511 

M2» Z S|.2'. S/»0orl 

M2J - . !>+/ . 2'j - 12S to I 

u-'I3.m«504.S»JlX-4 



(K) 



(i) n is inputted and v is obtained from £q. (1 1). 

50 vH2"-i"M-***D (13) 

where 25<v<2*, 
(ii) 



33 



M| end M3 ace inputled. 



(16) 



Here, the constant S is introduced for suppressing any 
error resulting from the approximation. 60 

Eq. (8) is a division, which takes much time. For 
q>eeding up the compuution, a variable v for a recipro- 
cal of the divisor [tt<2-'"] and a constant u are intro- 
duced, thereby to change Eq. (8) into a form of multipli- 
cation. By this procedure, is approximated to <^". 65 



Repeated Calculation. 

The calculation method will be shown below in the 
form of a program flowchart 
StepO: 



>-(28. Rt2fJ<^ R|29jD*-0 

Step 1: From Eq. (11) 



(17) 



(ti) 
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. ^ As described previously, the operation CwMi XMi 

" mod n necessary for the calculation for cryptognphy 

KMi - 64</-i)+d • 2'. 2-5«i + 38 can bc perfomicd by eight steps (P to ® . Embodi- 

ments <k the present invention, described later, execute 
where — 2>3<?C/'<2'^ ^ * computatioa That is, a quotient calculating unit. 

Step 2: * adding unit and a controller are provided To the 

quotient calculating unit are applied Mi, M2J, n and 
„^ Ry+ 1 to perfonn an citation 
o" tx-^v^ 2-131 + 1 forxr t 0^ in Q^=[{Mi XMa^+2^R>+i)-i-n]. To the niain adding Unit 

c^-pyxvx: ^ forX;<oj operation M,XM2^-h2^R^+i-Qrn. TT»c controller 

controls the quotient calculiting unit and the main add- 
When Q^'«=32, set (^"s^ai and when — — 32, set ing unit so that these operations are performed in the 
(^"»-31. w order jel, 1^1,... I. That is, as indicated by the order 

Step 3: From Eq. (€) jsl, 1—1* ... I, the operation MtXMa mod n is per- 

formed by simultaneously carrying out nuihsplication 
J ] (20) and division in a descending order, so that the calcuia- 

i 2o i ^0 ^ ' ^ ' " " * " " conducted at h|gh q>eed. Furthemiore, the caieu- 

20 ^ quotient calculating unit can be further 

^. speeded up by discarding and multiplication based on 

^ * Eq. (10). By using the carry save adder, the addition and 

subtraction in the mam adduig unit can be speeded op 
ifj m 1, then go 10 Step 5. ^ by the time necessary for cany propagation. This is 

ifj 1, then j Land go tack to Step 1.^ 25 very significant because the numbers of digitt of M and 

n are very large and because the number of calculatioos 

Step 5: The repeated calculation ends. ^ . ^ 1. . 

In the present mveatioo, the mam adding unit is di- 
CALCULATION FOR COMPENSATION vided into a plurality of sUoe sections of the same fonc- 

30 tion. To the slice sections are sequentially applied Mi 
(12) and n while being divided for each constant width of 
1 ] their binary integers, and Mz^andQ^are provided to the 

step 6: Ri *- .1^ K\j ^Ij^ sections in common to them. For each set of M|, n, 

If Ri fe a then go 10 Step 8 I and R/.|.i, an operation 

33 R/s=MlXM^/^-2^R/+i— <^n is performed. The shoe 
(23) sections are connected in cascade via signal lines so that 
a part of each calculation result may be provided to a 
higher order slice section. In eacli slice section, one or 
more registers for storing divided portions of Mf n, e» 
Step S R*-Ri, cod. (24) ^ R/«>d C are provided as required. By such division of 

the main adding unit mto slice sections, each shoe sec* 
In the case where the variable e is represented by 512 tion can easily be fabricated as an LSI even by the 
bits, 0 goes in succcsrion on its high-order bit side, Tliis pn»cnt LSI technology, so that the cryptosystem can 
arises from the aforesaid conditions n«10><» to 10»0, ^ produced at low cost Moreover, by mcreasmg or 
eslO^O to \0^^. Since j«12S to 1» it is seen that the decreasing the number of slice sections^ the lengths of 
repeated calculation b conducted 128 times. The range the encryption and decryption keys e and d can be 
of Q/" obtained from the equation (19) is given by varied witii ease. 

-31SQ^"S31. The calculation metiiod mentioned By wlymg nwh division of the mam addmg unit 
above wfllbc proved to bc appropriate, later. «, into sKce sections to Ojc case where MpM2 mod n is 

In the compensating calculation, tiie number of exe- calculated by performmg the mnltipHcation M|*M2 
cutions of Step 7 may be zero, one or two. The reason prior to the division by n, the cryptosystem can be 
for this wUl be described later. At tiie time \^en St^ 6 Cabricated at low cost 

is executed for the first time, the following condition DESCRIPTION OF THE DRAWINGS 

holds: 55 

RO. 1 is a bloc^ diagram showing the principle of a 
I conventional technology for the RSA cryptosystem; 

-2a A .JqRu< " FIO. 2 b a block diagram showing the principle of 

the cryptosystem of the present invention; 
So, a register of 514^ lengtii, including sign bit. is <0 ^.FKl- ^ ^ ^btedc diagrun showing the principle of 
employed for storing R,^ Accordingly, an adder of a sn in««t«t* «™hra. «f 

514 bit width is used for performing tiie operation of HOS. 4A to 4Z and 5A to 5Q ffl 
Eq. (20). In tiie operation ofEq. (18), 500 bits are dis. T?- " ^11^ ^^ 

os^ed for R^+MiS 504 bhs, 503 bltt. 502 bits and 501 FIG. 6 «s a block diagram iUus^g the whole ar- 
bits are discarded for M/in accordance witii the values 65 rangcmcnt of an embodmient of tiie present mvaition; 
i«0,lA3, respectively. An adder for obtahung may FIG. 7 is a block diagram showmg an example of a 
be an adder of 14-bit widtii, mcluding sign Wt. because quotient calcolatuig pre-prooessiog section 60 used in 
of tiie condition 2-»<)y'<2». FIG. 6; 



Oo back 10 Step 6 / 
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no. 8 is a block diagram showing an example of a FIG. 41 is a diagram showing the coupUng state of 

quotient calculating post-processing section 61 used in the adder 180; 

PIQ^ ^ FIG, 42 is a diagram showing the coupling state of 

FIG. 9 is a diagram illustrating a specific example of the carry detector 190; 

an AND element group 70 used in FIG. 8; 5 FIG. 43 is explanatory of an operation in the coupling 

FIG. 10 is a diagram illustrating a specific example of states depicted in FIGS. 39 to 41; 

a constant generator 71 utilized in FIG. 8; FIG. 44 is a diagram showing an arrangement of bits 

FIG. 11 is a diagram iDustrating a specific example of in the coupling state depicted in FIG. 37; 

an adder 72 employed in FIG. 8; FIG. 45 is explanatory of the operation in the cou- 

FIO. 12 is a diagram showing a specific example of a pUng state depicted in FIG. 37; 

carry save adder CSAUQl used in FIG. 8; FIG. 46 b explanatory of an operation in the coupUng 

FIG. 13 b a diagram showing an example of an adder state depicted in FIG. 38; 

732 used in FIG. 8; FIG. 47 b explanatory of an operation in the coupling 

FIG. 14 b a diagram showing an example of an adder state depicted in FIG. 40; 

74h used in FIO. 8; " FIG. 48 b explanatory of an operation in the coupling 

FIG. 15 b a block diagram illustrating a specific ex- state depicted in FIG. 42; 

ample of a slice section employed in FIG. 6; . FIG. 49 b a block diagram showing the outline of a 

FIG. 16 b a diagram illustrating an example of an M controller 8; 

regbter 101 ntiltzed in FIG. 1^ FIGS. 50A| to 50Ui and FIGS. 50A2 to 5OU2 are, as 

FIG. 17 b a diagram showing an example of an n « whole, a timing chart illustrating the outline of the 

regbter 103 employed in FIG. 15; operation of the controller 8 used in FIG. 6; 

FIG. 18 b a diagram illustrating an example of a C f]g. 51 b a diagram illustrating a spedfic example of 

register 104 used in FIO. 15; a first control sectk^n 230 in the controller 8; 

FIO. 19 b a diagram showing an example of an M2 ^5 FIGS. 52A to 52J are, as a whole, a timing chart 

regbter 105 employed in FIG. 15; showing the operation of the first control section 230; 

FIG. 20 b a dbgram fllustrating an example of an e pjo. 53 is a diagram illustratiTig a specific example of 

regbter 102 used in FIO. 15; a second control section 250 in the controller 8; 

FIG. 21 b a diagram Olustrating an example of a PIGS, 54A to 54G are, as a whole, a timing chart 

selector 106 utOized in FIG. 15; showing the operation of the second control section 

FIG. 22 b a diagram showing an example of a ma^i . 250; 

adding unit 110 employed in FIG. 15; piQ. 55 is a diagram illustrating a specific example of 

FIG. 23 b a diagram showing a specific example of an ^ control section 260 in the controller 8; 

Mi-M2^ calculating section 140 used in FIG. 22; . piOS. 56A to 56H are, as a whole, a timing chart 

FIG. 24 b a diagram showing a specific example of a 35 showing the operation of the third control section 260; 

— Qz-n calculating sectk>n 150 used in FIG. 22; j^q 57 js « diagram illustrating a specific example of 

FIG. 25 b a diagram illustrating a specific example of ^ j^^^h control section 270 in the comroMer 8; 

an adding section 160 used u FIO. 22; FIQS. S8A to 58H are, as a whole, a timing chart 

FIG. 26 b a diagram illustrating a specific example of showing the operatk>n of the fourth control section 270; 

a carry save adder 161 used in RG. 25; 40 piO. 59 b a dmgram illustrating a specific example of 

FIG. 27 b a ^iagram illustr^ng an example of a ^ ^.j^j, ^^^y ^ controHer 8; 

regbter secuon 170^ uulaed in FIG. 22; nOS. 60A to 60D are, as a whole, a timing chart 

FIG. 28 b a diagram showmg an example of an adder ^^^^ ^j^^ operation of the fifth control section 280; 

^•IL^^PlS^ 7 . , r FIG. 61 b a dbgram iUustrating a modified form of 

^nS 'Si'"* ^P^^ Of a carry 45 embodiment of FIO. 6 in whfch the main adding 

***iS?^Ir? FIO- 2* unit 110 b couirfed and used as another means for com- 

.kH?" ^JT "^"^"^ "^"^ ^"^ Pen«ting calculation; . 

FIG^ b a diagram showing the coupling state of FIG- «^ » a diagram illt«trating another example of a 

the C regbter loi^ quotient calculating unit 9; 

FIG. 34 b a diilgram showing the coupling state of 55 ^I^PIL^A ^^8™" "^^^^^ * 

the M2 regbter, ^ FIG- 

FIG. 35 b a diagram showing the coupling state of FIG. 68 b a block diagram iUustrating the main add- 

the selector 106; unit in the cryptosystem m the case where the mulU- 

FIG. 36 b a diagram showing the coupling state of plication and divbion are performed at the same time; 

the main adding unit 110; 60 FIG. 69 b a block diagram illustrating the main add- 

FIG. 37 b a diagram showing the coupling state of ing unit in the cryptosystem in the case where the multi- 

the M|-M2 calculatmg section 140; plication and division are performed one after the other, 

FIO. 38 b a dbgram showing the coupUng state of FIG. 70 b a diagram Ulustrating a specific example of 

the -^n catoulating sectk>n; * regbter section 170yin FIG. 69; 

FIG. 39 b a dbgram showing the coupling state of 65 FIO. 71 b a dbgram illustrating an example of the 

the adding section 160; main adding unit shown in FIO. 68 being divided; 

FIG. 40 b a diagram showing the coupling section of FIG. 72 b a dbgram illustrating an example of the 

the regbter section 170£,; main adding unit shown in FIG. 69 being divided; and 



FIG. 73 is a diagram illustrating another embodiment The controller 8 executes the operations of steps 2a 

of the present invention where the quotient calculator 9 and 2b while shifting the content of the register 2 to left 

is provided in each of the slice sections. bit by bit for each c/of the variable 

DESCRIPTION OF THE PREFERRED 5 . 

EMBODIMENTS e - . I e/ • 2*. 

To fadliute a better understanding of the present 

invention, t description wiD be given first of a conven- By such operation, the content C of the C-register 4 

tional technology for the RSA cryptography. FIG. 1 finally becomes Ca>M'mod n based on the exponentia- 

shows the principle of a conventional techncdogy don procedure. By the way, the principle of the calcula- 

which performs calculations for the RSA cryptogra- don order of the RSA cryptosystem shown in FIO'.^ ^ 

phy. An M-register 1, an e-register Z, an n-iegister 3 and known, but the constnictian of the multiplier«divider 

a C-register 4 are provided for storing variables M, e, n used therein has not been disclosed and the cryptoiys* 

and C respectively. The contents of the M-r^jster 1 tem has not been put to practical products, 
and the C-register 4 are supfdied to a selector 6 via " FIG, 2 is e xpl a n a t ory of the principle of the cryp- 

signal lines U and 11, respectively. The selector 6 se- tosystem of the present invention, the parte correspond- 

lects one of the signals from the signal lines 11 and 12 m ing to those m FIG. 1 bemg identified by the same 

accordance with a switching signal from a switching reference numerals. In FIG. 2, the multipUer-dividei 

signal line 13 and provides the selected signal to an used in FIG. 1 te divided into a quotient calculator 9 and 

M2-register 5, A multiplicr^ivider 7 is supplied with a a main adder 10. The quotient calculator 9 performs the 

signal Ml on a signal line 14, t signal Mj on a signal line operation of Eq. (5X ic the diviaon for obtaining the 

15 fran the Mi-registcr 5 and a signal n on a signal line quotient, using Eqs. (18) and (19). The mam adder 10 u 

17 from then-register 3. The most significant bit (MSB) fonned of the remaining portion of the mult^ber- 

of the e-register 2 is provided via a signal line 18 to a 25 ^ ^ ^ separated the quotient calc^- 

controller 8. which, in turn, controU the selector 6 in tor 9. and it mahdy perfonns the addttions m E<p. (20) 

accordance with the content of the signal eapphed.Tlie ««d 03 • -RuU iSj^m tte mam add^ 10. for example, as 

signal lines are each composed of a pluraUty of signal -hown m Eq. (70%Jht ^^^T^'f^^^ 

c^uctor lines. simultaneoudy performed m a descending Older st^^ 

At fiist, the variables M. e and n ate stoced in the 30 ^ «gmf«nt d.git. P«initt«ng h^h- 

r^ister.l,2and3.iespectively.Thee.register2b«KA ^ '^^T^^'' ^':Tl^^T:n^^ 

^e that ha. a left cirSar shift fmurtion. Prior to the ^ 

exponentiation procedure, the content of the e-r^g«ster ^'^I^^^J^^ ^^i?^ 

2te2Sfted to iJft untB the left-most bit of the e-r^ ^T^f*" d«t«»fu«J« l^Tt^ ^^^nt^^TA^ 

becomes -nilie reason is that the number of caK 35 ^l^^^j^^^ 

^. . ,^ OK «f ♦V- .«*^w^n*« connectmg the quotient calculator 9 to otner parts are 

uons m stcps^ and 2b of t^^ added. Tlw part except for the quotient calcuUtor 9 in 

can be reduced by startmg the calcuUtion with a coodi- ^ that^Aci^identiM by 25- will hendmiftcr 

'''^^!r*L««trniw j-1 intn tfw.c.t«ri^4 ^ "^Icd a "sliceable section". It wUl be evident that. 

TTicn the control^ 8 stores + 1 the Or^^ 4 ^ arrangement as shown in FIO. 2, the cal- 

Repres«.ted by Q Ae oont«rt of &e C-re^ 4 is ^ ^^^^^ coSo«~phy can be comlucted by the 

C=l. Tlicabove IS the operation of step 1 of theexpo- exponentiation procedore as b the case with the prior 

u'^^^T . . ^ -» A^^r*>.. art example of FIG. 1. In this case, since Eqs. (5) and (f) 

Next, the controller 8 executes steps 2a and 2b of the ^ ^ - ^ becomes a signal M ^ 

exponenUation procedure in the foBow^ FIO. 3 shows the principle of dWisionalammgemcnt 

On the mput signal line 17 of the multipher-dividcris ^ cryptosystem of the present invention. In the 

always provided the variable n. Let the signab on the giioeable section 2r in FIG. 2, the parts except for the 

input signal lines 14 and 15 of the multiplicr^lividcr 7 be controUer 8 arrtlch divided into, for example, dght 

represented by M 1 and Ma, respectively, and a signal on and the eight groups arc each provided with one con- 

an output signal line 16 of the muldpUer-divider 7 be ^ troUer 8 to constitute eight sliced sections 2St to 25$. 

represented by R. Since the C-rcgbter 4 b connected to Here, the di vbion mto agbt b to divide, for example, 

the signal line 14, b executed. The selector € ^jj^ M-iegbtcr 1 of 512-bit length by 64 bite to form 

selects the input signal line 11 hi accordance with the re^oters It to 1$. by which 512-bit informa- 

signal on ihe signal line 13 from the control unit 8, and tion b represented. The registers 2. 3. 4 and 5 are respeo- 

the content C of the C-r^lbter 4 b latched m the M2- 55 tive1ydividedintoregbters2ito2s,3|to3t>4]to48and 

register 5. Accordingly, the ^gnal Mion the signal Ime 5, to 5|. The selector 6 b similarly divided into cig^t 

15 becomes Iliea the multipUer-divider 7 per- Also the main adder 10 in FIG. 2 b divided into eight 

forms the operation RaiMiXM: mod n and provides and each processes 64-bit information divided finam 

the signal R on the output ngnal line 16, so that the 5t2-(»t infonnation. Signal lines 26 and 27 are necesst- 

content of the C-register 4 becomes R. thus exe cu t in g ^ tated as a result of the division of the sUceable sectkw 

Ci-4L The above b the operation of stq» 2a of the 25'.Signallnies28i,282and283areinp0tngnallinesfor 

exponentiation procedure. the variables e,n and M, and a signal line 29 b an ootpiit 

The operation of stq> 2b of the exponentiation prooe- signal line for the variable C In tMs way, the sliceable 

dure differs from the operation of stq) 2a only m the section can easily be divided because the quotient calco- 

operation of the selector 6. That is. the input signal Ime 65 lator 9 b not included therem. The cryptosystem of an 

12 of the selector 6 b selected and the content of the M embodiment of the present invention based on the prin- 

register 1 b bached in the Mi-regbter 5, resulting in ciple shown hi FIG. 3. comprises a phirality of sliced 

M24-M. sections obtabed by equally dividmg Ihe sliceable seo- 
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tion 25' of the cryptosystcm of FIG. 2 and combining 31|, 3l2 and 3l3 be represented by A. B and C (A=0,l. 
each sliced section with the controller 8, and one quo- B=rOJ, C^O,l), respectively, dau on the signal lines 
ticnt calculator. This arrangement has the following 32| is indicated by A©B©C (where ©is exclusive OR) 
features. and data on the signal line 322 i* A»B+B*C-I-C'A 

The sliceable section 25' in FIG. 2 is difficult to fabri- 5 (where • is AND and + is OR), 
cate as one chip through using the present LSI tcchnol- FIG. 4N shows a two-input selector. Two input sig- 
ogy because it requires 100 to 200K gates when materi- nal lines 34o and 34i and an output signal line 35 are ail 
alized as a hardware. According to this embodiment, composed of a (a = 1, 2, ... ) sigiial lines. When a selec- 
however, the sliced sections 25 1 to 25| are each on the tor input switching signal on a selector input signal 
order of 13 to 30K gates, and hence can be implemented 10 switching signal line 33 is 1, the signal 34| is selected and 
by the existing LSI technology. At the same time, since when the signal on the signal line 33 is 0, the signal line 
these sliced sections may be fomcd by the same type of 34o is selected. FIG. 4P shows a master-slave D flip- 
chips, the number of processes involved in the design of flop, which has at least an input signal line 36 connected 
the cryptosystem is small, reducing the manufacturing to its data terminal D, an input signal line 37 connected 
costs. IS to its clock terminal and an output signal line 38 con* 

Furthennore, by increasing or decreasing the number nected to its Q terminal. In some cases, the flip-flop is 
ofsliced sections, it is possible to implement cryptosys- further provided with an output signal line 39 con- 
tems at low cost which have various lengths of the nected to its Q terminal, a clear signal line 40 and a 
encryption and/or decryption keys n and e. A descrip- preset signal Kne 41. Upon application of a signal **r 
tion will be given later in this connection. 20 from the clear signal ime 40, an output signal on the 

In the foregoing, the slk^d sections 25| to 25$ are output signal line 38 becomes **0'\ and when a signal 
each described as to handle 64-bit information but, ^'l*' is applied from the preset signal line 41, the output 
strictly speaking, the main adder handles 66 bits and 64 signal on the output signal line 38 becomes "P. This 
bits of them are used for the purpose described previ- flip-flop reads therein data on the line 36 upon rising of 
ously. This will be described later. The quotient calcula- 25 a clock signal on the line 37. FIG. 4Q shows a trigger 
tor 9 can be divided into a quotient pre-processing sec- flip-flop, which has a trigger input signal line 42, a clear, 
tion and a quotient post-processing section in accor- signal input signal line 40 and an output signal line 38 
dance with the nature of its processing. The signal lines connected to its Q terminal, and the sign of the output Q 
26,21and22 will hereinafter be referred to as the expo- is inverted upon rising of the trigger input to the flip- 
nentiation control signal line, the multiplk:ation control 30 flop. FIG. 4R shows another symbol of the master-slave 
signal line and the division control signal line, respec^ D flip-flop of FIG. 4P. This b used when the flip-flop is 
tiveiy. employed as a one-clock delay circuit FIG. 45 shows a 

,^ . -^^*» counter, which has a clear signal line 43, an input signal 

SYMBOLI2ATION CONA^NTIONS 44 fo^ pulses to be counted and an output signal line 

Prior to a detailed description of the invention, a 35 45 on which a signal ^^l" is retained afker counting a 
description wiU be given of symbols used for showing 313th input pulse. The numeral "312- of CNT512 
various functions in the drawings. means that this counter counts pulses 512 times and the 

FIG. 4A shows that a terminal 30 of a signal line is 513th pulse causes to output "K*. FIG. 4T is explana- 
not connected to any parts, that is, an open termuial. tory of the operation of the counter shown in FIG. 4S. 
Incidentally, the signal line is usually composed of more 40 After supplied with a clear signal at a moment 46, the 
than one signal lines and, in this case, the open terminal counter CNTS12 counts pulses 512 times and, upon 
represents plural open terminals. FIG. 4B shows that detection of the 513th pulse, its output signal becomes 
a+b signal lines (a— 1, 2, . . . and b«=l, 2, . . . ) are T* at that moment 47. As the counter, there are those 
branched into a and b signal lines. In this case, the left- which count pulses 128 times, six times and twice, re- 
hand a signal lines transmit an a-digit signal from the 45 spcctively. These counters are indicated by CNT128, 
most significant digit side of the a-i- b signal lines, repre- CNT6 and CNT2 in the same manner as in the case of 
sented as a binary number, whereas the right-hand b FIG. 4S. 

signal lines similarly transmit a b-digit sigMfrom the FIG. 4U shows en bloc a (a^^U 2, • . . ) ANDs as 
least signiflcant side. The arrows of the signal lines aiustrated in FIG. 4V. FIG. 4W shows en bloc a (a« 1, 
indicate the directk>n of signal transmission. This is 50 X . . . ) ORs as depicted in FIG. 4X. FIG. 4Y shows en 
common to all the accompanying drawings. When the bloc a (a«i 1,2,*..) NOTs as depicted in FIG. 4Z. FIG. 
branching is indicated by lateral lines as seen in FIG. 5A is identical with FIG. 5B, in which input and output 
4C, the upper side indicates the higher-order digit That lines are directly connected. FIG. 5L shows that a b-bit 
is, in the case of a signal represented as a binary number, input is shifted up by a biu (where b>a) as shoMm in 
the signal line on the right-hand side in the direction of 55 FIG. 5D. FIG. 5E shows that a b-bit input is shifted 
the signal transmission indicates the most significant down by a bits and outputted as (b— a) bits (where b>a) 
digit and the signal line on the left side the least signifl- as depicted in FIG. 5F. FIG. 5G shows that an a-bit 
cant digit. FIG. 4D shows that b groups of signal lines, input is outputted with a zero added to its high-order 
each including a lines, are described en bloc. side as depicted in RG. 5H. FIG. 51 shows that high- 

FIG. 4£ shows an AND logic of two inputs. This 60 order 10 bits of a 38-bit input are outputted as they are, 
also applies to an AND logic of three or more inputs. and that the low-order 28 biU are divided into two by 

RG. 4F shows a NAND logic of two inpuu. This steps of 14 bits and four bits between high-order two 
also applies to a NAND k>gic of three or more inputs. bits and low-order eii^t bits of each group are output- 
RG. 4H shows an exclusive OR and RG. 41 NOT of ted together with the abovesaid high-order 10 bits, as 
the exclusive OR. RG. 4J shows NOT logic. FIG. 4K 65 illustrated in RG. SI. RG. 5K shows that high-order 
shows that a signal value ''O'* b provided. RG. 4L four-biu of a 64-bit input are removed therefrom and 
shows that a signal value **V* is provided. RG. 4M four biu are added to the low-order side thereof to 
shows a one-bit fiiU adder. Letting signals on signal lines obtain a 64-bit output as illustrated in RG. 5L. 
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FIG. 5M shows that the name of a signal on a signal includes 12 lines and their names are CTl to CT12, . 

line 55 is D-SIG. FIG. 5N shows that 12 kinds of con- icspectiydy. 

trol signals are present on the signal Hne 55, and their otinTiPNTT rAinn ATinN ppp PRnrFQQiNn 

names are CTl to CTIZ FIG. 5P shows thftt five sig- QUOTIENT CAlXJiRJOlX^ 

nals are provided on the signal line 55, and that their 5 SECTION 

names are CLOCK, enn, n-in, START and C-out, re- FIG. 7 illustrates die quotient calculation pre-pixic- 

specti vely . FIG. 5Q shows that the norober of signals on esnng section, which is formed by a read only memory 

a signal line 56 is 12, that they are named CTl to Cn2, (ROM) 68. ROM 68 is used instead of the operation of 

resp ectiv ely, and that they are branched into two sig- Eq. (15). When a value [n*2-^) is provided as an ad- 

nak CT2 and CTl on a signal line 57, . . . three signal 10 dress on the ngnal line 19, ROM 68 provides on the 

CT5, Cni and CTll on a signal line 58, and so forth. signal line 62 a value [2<^-r-[n*2~^]] precalculated and 

The signal value on the signal line is indicated by stored therem. With such an arrangement the value of 

binary logic *Xr or or a binary integer represented v calculated by Eq, (15) can be obtained on the signal 

as a 2*s complement . line 62 by applying Idgh-order bits of the variable n. 

GENERAL ARRANGEMENT OF QUOTIENT CALCULATION 

EMBODIMENT POST-PROCESSING SECTION 

FIG. 6 iUustrates the general arrangement of an cm- pia 8 illustrates the general amngement of the 
bodiment of the present invention, in which the parts quotient calculation post-piocessmg section 61, which 
corresponding to those in FIG. 3 are identified by the 20 performs the operations of Eqs. (18) and (19). The signal 
same reference numerals and characters. The quotient M-SIG on the multiplication control fignal line 21 is 
calculating unit 9 is divided hito a quotient calculating composed of four signals, each having a value 
pre-processing section 60 and a quotient calculating 84(^.1)^.^2' 0*^0; 1,24). IncideotaDy, 
post-processing section 61, and these processing sec- 
tions 60 and 61 are interconnected via a signal line 62. 2S , . 
The sliced sections 25t to 25s are provided with input i ft4</.i|+p 2' » 

signal Unes 63t to 63s. 65t to 658 and 67i to OTs and '"^ 

'tr, and the input signal line 67, inputs a «gnal 30 "fi^^^^i^^^f^S^^ 
value "r. The signal value "1" on the signal line 67| 5^ J^^^T^ SOlhits of Mi rep^ted by 

meansthattheslicedsection25,istheremotestfromthe ^' ^}^*^'^ ^^fj^u?^ ^Ji^!t^ 

quotient calculating mut 9 and on the side of the least P^^, * ^''^V^^^'^jl "JlT^ ^ 

significant digit among the sUced sections. Supplied ^«ngtew<)rdcr SWbits of I^+w^^ 
with the signal value one part of the sliced section 35 ^J*^ ^^/t^ ^ !i ^ ^ dement group TO 
25s performs a special operation different fr«Mn opera- P^j???, f^^^^^.S^ ^ ^-ly^tV^Z'^ 
tions of the sliced sections 25| to 25t. TTiis wiD be de- <^'^^^'^*t\'^^ j}!^* * ^ J^"^*** 

scribed Uter. Reference numerals 8| to Bs designate constant 30 m Eq. (l«k and a carry save adder (CSA- 
controllers 8 in the individual sliced sections 25i to 25s. Q*) P^?.™ ^ addition to Of) to calculate the 

FoDowing the principle of the present invention, the 40 value ofjq^'. A carry save adder (CSA4I2) 72 has seven 
cryptosystem of FIG. 6 is su|^lied with the variables e, "P»^ ^ outputs, aD of whtch are binary mtegen 
n and M from the input signal lines 20 1 , 282 and 283 and ^ ^**>- An AND elemoit group 73, performs 
performs the operation C-M' mod n to provide the the ANDK>peration necessary for the calculation of 
variable C on the output signal line 29. SimUarly the X/ X v in Eq. (19). That is, the AND element gnmp 73t 
variables d, n and C are apptied from the input signal 45 » »upplied with the value v of afat-Wt width hom the 
lines 28i , 2O2 and 2O3 to the cryptosystem when imple- signal One 62 aiid the value J^' from an adder 72 and 
menting the operation mMC mod n, providing the performs ANDing of each digit of v represented as a 
variable M ofMe output signal luie 29. binary number and each digit of JC/' rqpresented as a 

The cryptosystem receives an operation control ngr binary number, 
nal from the input signal line 63| and dte controller 0| 50 The results of the ANX^ are added by a 12-input» 
generates a control signal for the entire cryptosystem. 2-output carry save adder (CSA-Q2) 732 to ottato the 
The controllers O2 to Os do not operate. In other words, value 3^ X v. Each output from the adder 73i is applied 
the sliced sections 25} to 25s are made sdentical in coo- to a circuit 73^ in which 13 bits are discarded from it, 
struction and one of the controilen is used. Therefore, and a value [X/'Xvx2*1 is obtained as the sum of 
instead of providmg a controller in each sliced section, 55 signals which are provided on signal lines 734and TSs. 
a single controller may be separately provided from the The signals on the signal lines 734 and 73$ are respeo- 
sliced sections as is the caae of the quotient calculating tively added in one-ou^ntt carry propagation adders 
unit 9. 74i and 743, and the signals on the signal lines 734 and 

The operative state ofthe cryptosystem is reported to 735aiul — 1 are added together in three-input, two-oot* 
the outside via the output signal tine 64|. Various coo* 60 put carry save adder (CSA-Q3) 76. The addition resnlts 
trol signals necessary for calculations for cryptognq>hy are added in the carry propagatiott adder 742. 
are produced not only by the controller 81 but also by On an output signal line 78| of the adder 74i is pco> 
the quotient calculation post-proces^ng section 61 and vided a value p^'Xvx2-l')+l- While on an output 
other parts in the sliced section 25] than the controller signal line 782 cSt the adder 742 is provided a vidue 
81. The names of signals on the exponentiation control 65 pC/'XvX2-l^— 1. The signal on the signal Kne TBJi is 
rignal line 26, the multiplication control signal line 21 inverted, providing on a signal line 783 the binary value 
and the division contrd signal Une 22 are EXP-SEL, pC^Xvx2-i^]—l with iU respective bits mvert€d,fhat 
M-SIO and D-SIO, re^>ectively. The signal Ime 27 is, the absolute value of E'y'Xvx2-l^ Le. 
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|PQ"XvX2~^^|. On a most significant bit output stg- input oneK>utput carry propagation adders 74| to 74^, 

nal line 784 of the adder 743 is obtained a value *V' or which is arranged so that corresponding bits of the two 

"r* depending on whether the sign of {X/' X vx 2 - inputs are respectively added by full addeis of the same 

ie.,thcsignofX/isX/'^OorX/"<O.The ANDofthe number as bits of each input, and carry of each full 

inverted signal of the signal on the signal line 784 and 3 adder is provided in ascending order, 

the signal on the signal line 78 1 is obtained in the form of er..^ c 

[X/XvX2->3J on a signal line 79| when X^"Sa The Sec&ons 

AND of the signals on the signal lines 784 and 783 is FIG. IS illustrates, by way of example, the arrange- 

provided as | [Xf X vx2- 1^ | on a signal line 792 when ment of one of the sliced secdohs 25i to 25s in FIG. 6 in 

X/*<0, The signal on the si^ial line 78i is applied to a 10 which there are provided registers 101, 102, 103, 104 

32-detector 75i, which provides a value +31 on a signal and 105, each corresponding to one of the eight parts 

line 793 when Xj"^0 and p^"X vx2- >3]+ 1 ~3X The into which the M, e, n, C and M2 regbters 1, 2. 3, 4 and 

inverted signal on the signal line 782 is supplied to a 32 5 are each divided. To the least significant ends of the 

detector 752 to provide a value | —31 1 on a signal line registers 101 to lOS are respectively connected input 

794 when X/'<0 and |pC/'XvX2-t^]| =3Z Since the 15 signal lines lOlji to 105/t for supplying thereto signals 

range of Q/" b — 31^Q^'^3t, |<^"| can be represented from a lower-order sliced section. To the most signifi- 

by five bits. The OR of the corresponding bits of the cant ends of the registers 101 to 105 are connected out- 

5-bit signals on the signal lines 79i to 794 is provided on put signal lines lOlt to lOSx, for supplying therefrom 

a signal line 80. The signal on the signal line 80 is com- signab to a higher-order sliced sectioa A selector 106, 

posedoffivebitsof |(^"| ofQ^"defmedinEq.(19).On 20 oneof eight parts into which the selector 6 b divided, is 

the signal line 784 b provided a sign qs of Q/* which b provided, which b controlled by a signal on an input 

"0" or depending on whether X/'^O, Le. Q/"SO, or signal line 113. A main adder HQ, one of eight parte into 

X/' <0, Le. Q/'<0, On a signal line 82 which b a combs- which the main adding section 10 for mainly perform- 

nation of the signal lines 80 and 78I4 there are provided ing the additions in Egi. (20) and (23) b divided, b 

the nnost significant bit in the form of and the other 23 provided. Connected to the main adder 110 are input 

five tits in the form of |Q^'|. signal lines 114 and 115 and an output signal line 116. 

On the divbion control signal line 22 there are pro- T^e content of the regbter 103 and a signal cm the input 
vided by the operation of as selector 83 the content of signal line 103a are provided via a sigiud line 117 to the 

the signal line 82 when CnO«0 and **10000t**, le. — 1, main adder 110. The content of the most significant bit 

from a circnit 75j when CTlO^l. 30 of the regbter 102 b applied via thesipial line 18 to the 

For perfonxung the operations of Eqs. (18) and (19), controller 8. 

the quotient calculation post-processing section 61 b Signab for controlling the operation of the sliced 

supplied with high-order 14x2 bits of 1^ 0=0,1) section are provided via the five input signal lines 63, 

from die signal line 23. high-order 1 1 bits of Mi from the and their si^tsal names are CLOCK* e-tn, n-in, START 

signal line 24 and four bits of B^^\y+f2i 0^0,1,2,3) 35 and C-out The operative state of the sliced section b 

from the sig^ial Ime 21. The quotient calculation pcot- reported to the outside thereof via the three signal lines 

processing section 61 calculates X/' in accordance with 64, and their signal names are CI7, n-end and CRYFT- 

Eq. (18) and calculates Q/' by £q. (19) in accordance end. A signal indicating the state of carry propagation 

with the condition whether die next ^^"^0 or X/'<0. of each of the plurality of sliced sections b applied via 

When CT10=0, the absolute value ofQ/' b rep- 40 the input signal line 65, and a signal indicating the sute 

resented by five bits and the sign of Q/* b represented of carry propagation in the main adder 110 b provided 

by one bit; namely, a total of six bits b provided on the via the output signal line 66 to the outside of the sliced 

divbion control signal line 22. In thb case, however, the section, thb signal name being CRY-end. A signal indi- 

sign qs of Qj" b represented by 0 or I depending on eating that the sliced section 25 b the remotest from the 

whether Q/"&0 or C^"<0. When CT10« 1, the abso- 45 quotient calculating unit 9 like the sliced section 25t in 

lute value of Q/' b 1 and the sign qi of Q/' b 1. FIO. 6, b provided via the signal line 67 and the name 

DETAILS OF OUOTIENT CALCULATION ***** b TAIL. When the signal TAIL b "1", the 

WW PP^^ sliced sectkJiS b the remotest from the quotient calcu- 

POST-PROCESSING SECTION , Following the exponentiation procedure 

FIG. 9 iUustrates a specific example of the AND 50 the sliced section 25 executes Eqs. (16), (17) and (20) to 

element group 70, in which a40_i)+/*2«-2-504 (24) on the prembe of Eq. (U). Eq. (15) b executed by 

G'>=0,1,2,3) from the signal line 21 and M| of eleven bits the quotient calculation pre-processing section 60 and 

from the signal line 24 are ANDed wttii each other, Eqs. (18) and (19) are executed by the quotient calcula- 

thereby to perform the operation Mi-«4o_i)+i-2'.2"50i tion post-processing section 6L In the case where die 

in Eq. (18). 55 quotient calculating unit 9 and a plurality of sliced sec- 

FIG. 10 illustrates a logic circuit 71 for producing the tions are connected as shown In FIG. 6. main signals of 

constant S=38 in Eq. (18). RG. 11 shows a seven-input each sliced section and the calculation for cryptography 

twooutput carry save adder (CSA-Ql) 72, which b bear such relationships as described below. Detatb of 

constituted by a combination of three-input two-output the signab will be described later, 

carry save adders (CSAUQl) 90i to 90$. Each of the 60 The cryptosystem applies the variable e to the plural- 

tlvee-input two-output carry save adders (CSAUQl) ity of registers 102 (hereinafter referred to as the e-regia- 

90i to 9O5 b arranged so tiiat corresponding bits of the ters) of die plurality of sliced sections 25 upon applica- 

tiiree inputs are respectively added by MX adders of the tion of the signal e-in from the control input signal line 

same number as bits of each input, as shown in FIG, IZ 63, applied the variable n to the plurality of routers 103 

FIG. 13 illustrates a l2-input two-output carry save 65 upon application of the signal n-in» and applies the vari- 

adder (CSA-Q2) 732, which b made up of three-input able M to the plurality of regbters 101 upon application 

twoK)utput carry save adders (C:SAUQ2) 91| to 91io. of the signal START. After application of the variable 

FIG. 14 illustrates, by way of example, one of the two- M, die e-regbters 102 continue bit-by-bit circuhir left 
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shifting until the most sgnificant digit (MSD) of each sliced section and a signal n on a signal line 153 from the 
e-register 1Q2 becomes 'T'. n register 103 and a signal line 155 from the next lower- 

Next, upon apjdication of the agnal CT5, the cryp- order sliced section. And the selected signal and the 
tosystem performs the operation of Step 1 of the expo- signal Q/ on the signal line 134 are AKDed. An adder 
aentiation procednre; 3 seen in FIG. 22 is formed by three-input two-output 

That is, the operadon C*-! is executed. carry save adders 161) to 161]oas shown in FIG. 25. As 

Next, upon application of the signal CT6, the opera- shown in FIG. 26, the three-input two-output carry 
tion M in step 2a or M2«-M in step 2b of the expo- save adder 161 has 66 bits for each input and output, and 
nenttation procedure is executed. (Here, Mi'«-C always the most significant one of 64 bits on the lower-order 
holds on account of the arrangement of the cr ypto sys- 10 ^i^^ the adder 161 is branched to be applied to the 
tern.). Next, in the period in which the signal CTT be- corresponding carry save adder 161 of the next higher- 
comes **r\ the multiplication and division RwMi XM2 order sliced section as indicated by a signal line 8W. A 
mod n in step 2a or 2b of the exponentiation procedure signal applied via a signal line 880* from the correspond- 
arc executed and, npoo application of a signal ing lower-order side b provided to the side of the carry 
MDEND, the multiplication and divinon are fmished. 15 outpuu from all the full adders FA. Circuits 170^ and 
Then, G*-R is established owiixg to the arrangement of j^q^ j„ pjQ^ 21 are 664«i registeis as shown in FIG. 27. 
the cryptotystem. ^ circuit 150 in FIG. 22 adds two outputs from the 

The execution of the multiplication and diviaon adder 160 of this sliced section by a carry propagation 
RwMjXMj mod n based on the exponentiation proce- jg^ ^ produce output as shown in FIG. 28. 

dure is controUed as follows: The value of the signal 20 Carries resulting from this addition are applied to the 
EXP-SEL is detMiruncd by ca^ bit e/of the variable e. „^ highcr-order sliced aectsoo one after another. In 
Wba the signal EXP-SEL is "0". step 2a of Ae expo- ^ significant sliced sectioD 25i. carry compo^ 
^"^"^ nents m the output from the adder 16D are added by an 

EXP-SEL IS step 2b of the expoa»>tiatKm proce- ^ ^ion of the addition result is supplied 

dure IS executed Upon oomp^n of the operation of 23 ^ contioUer 8, via a signal line 187. A carry dkcc- 

ta^tS. «^"i^on for cryptography is ^ ^ ^ ^ depe^g on 

-« ^^t^iuts^ fr«. whether a carry to be transferred to the higher order is 

With such an arrangCTient, the ca^cuUition for cryp- -educed from the addition of the 66 bitt in the adder 
tography can be adiieved following the pnnciple of the fgA^ v. w viu «* v>ws 

present invention by connecting the quotient calculat- ^ , ' , . «a« ^ «m . « j u 

ing unit 9 and the pluraUty of sliced sections as shown in ^^".^^vSiSf "^1^. ^ILT^^ ^ 
FIG. 6. The same is true of the case where the quotient 35 the «giid CHO to seto a signal obtain 
calculating urut 9 is divided into the quotient calculation »B ^ ^'H^S^J!^ ^^^^ correspondmg r^ 
pre-processinB section 60 and the quotient calculation ^ ^ by 2* and a signal correspondmg 
post-proo^M section 61. directfy to the cakadaiion result That is, in the case of 

the compensating calculation^ the signal corresponding 
Details of Sliced Sectsons *4o to the c^culation result is selected and, when the signal 

The registers 101. 103, 104 and 105 are formed as obtained by the multiplication, h?gh-order four Uts 
four-bit parallel input-output sWft registers, as shown in the next lower order sliced sa:tion are added to 

RGS. 16, 17. 18 and respectively, and they are sigmficMit side of the selected signal, 

shifted by signals CT4. Cn. CTU, and CT6 and CT9, PIG- 30 shows the state m whidi die le^stm lOli to 
respectively. The register 104 is capable of presetting in 45 lOlsof thesUoedse<^m^ito 258»howm iii n^^^^ 
parallel a 64.bit signal from a signal line 116 under the coupled togetfier to form the register 1 of 512-bit length 
coikrol of the signal CTll. In die case where the signal because 64x 8«5a The register 1 stores tht variable 
IWL is "l" when the signal CPS is provided. "1" is M of 512-bit length. FIG. 31 lUustrates the state m 
preset only in the least significant bit of the register 104 which the registers 102i to 102s of the sliced sections 
and other bits are preset to **0^, and where the signal 50 25t to 258 are coujded together to set up the e-regnter 2 
TAIL is "V, the register 104 is entirely cleared by the of 512-bit length, which stores the variatble e of 512-bit 
application of CT5. The register 105 u also controlled tengtii. The e-register 2 has the function of circulariy 
by the signal CT6 and capable of presetting the 64-bii shifting signals of 512 bits to left bit by bit. FIG. 32 
signal Miin paralld. The register 102 is constituted as a iUustraies Uie sute in which the registers 103| to 103s of 
one-bit shift register as shown in HG. 20 and it is shifted 55 the sliced sections 25| to 25s are coupled together to 
by tiie signal CTl. In tfie sliced section 25», when the constitute the register 3 of 512-bit length, which stores 
signal Crz becomes "r» the register 102 is put in its the variable n of SU-Wt length. FIG. 33 shows the state 
drcutor operation. HG. 21 illustrates a specific example in which Uie registers 104t to 104s of the sliced sections 
of the selector 106^ 25i to 25s are coupled together to form the C-resister 4 

FIG. 22 illustrates tiie general arruigement of an 60 of 5l2*t length, which stores the variable R(C) of 
embodiment of the main adder 110. An MfMs^calcula- 512-bit length. PIG. 34 shows the state in whidi the 
tor 140 for calculating Mi-Mj^seen in FIG. 22 is ar- registers 105i to 105s of the sliced sections 25i to 258 are 
ranged as depicted in FIG. 23. A -Q/-n calculator 150 coupled together to form the M^registe^ 5 of 512-bst 
for operatuig *Qrn is arranged as shown in FIG. 24. length, which stores the variable Ma of 512-bit length. 
By the sign bit of the signal on a division control 65 FIG. 35 shows the state in which the selectors IO61 to 
signal line 134 is controlled a selector (SEL-Q) 151 to 1068 of the sliced sections 25| to 258 are coupled to- 
sdect a »gnal n on a signal Ihie 182 from the n-register gether to serve as the selector 6 of two inputs and 512- 
103 and 1 signal line 154 from the next lower-order bit width. 
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FIO. 36 illustrates the state in which the main adders 
110( to 130i of the sliced sections 25| to ZSg are coupled 
together to form the main adder 10 of 514-bit width. 
FIO. 37 shows the state in which the MvMij calcula- 
tors 140i to 1408 of each main adder 210 of the sliced 5 
sections 25i to 258 are coupled together and the input 
signal line 114a (aa=l. 2, . « « 8) are divided into input 
signal lines 114^^7 and Wjia* Because of such couplingr 
ANDing of Mi*M2^ (where Mt is 512-bit and Mzy is 
four-bit) in £q, (20) can be performed FIO. 38 shows 10 
the coupling state of the — C^n calculators ISOi to ISOg 
of each main adder 110 of the sliced sections 25 1 to 25g, 
by which ANDing of — (^^'-n in Eq. (20) can be carried 
out FIG. 39 shows the coupling state of adders 160 1 to 
160g of each main adder 110 of the sliced sections 25i to 15 
258. FIO. 40 shows the coupling state of the registers 
ITOli to ITOls of each main adder 110 of the sliced 
sections 25i to 25g. Also the registers IIOri to ITOjtgare 
dmilarly coupled. FIG. 41 shows the coupling state of 
the circuits 180i to IfiOg of each main 110 of the sliced 20 
sections 25i to 258* FIG. 42 shows the coupling state of 
the carry detectors 190i to 1908 of each main adder 110 
of the sliced sections 25i to 25i with the circuit 135 1 of 
the sliced section 25|. 

FIG. 43 is explanatory of operatioiu in FIGS 39 to 25 
40. The circuits 160» 170t, and 170it and 180 each per- 
form a 66-bit calculation in the sliced sections 25 1 to 25s 
but in the coupled state, the sliced sections 252 to 258 
each perform a 64-bit calculation. Thus a calculation of 
a total of 512-h2-514 bits is conducted. PIGS. 44 and 30 
45 illustrate the coupling operation of the Mi-Mj/calcu- 
lator 140 in FIG. 37. 

From input signal lines 114£,i to 114^8 in FIG. 37 are 
applied to the sliced sections 25i to 258 the variable Mi 
by steps of 64 bits, from each of signal lines tt4m to 35 

are applied high-order three biu of the input on 
each of the signal lines 114^ to 114L8 , and from a signal 
line 114A8 is applied a signal *V' of three bits. As a result 
of this, the ANDing of MfMzy (Mt being 512-bit and 
Mij 4-bit) can be achieved. The number of significant 40 
digits used for the operation MfMi^ is 514 from the 
low-order end. and 515th and higher-order bits are 
neglected but this does not matter for the reasons al- 
ready described. 

FIG. 46 shows the coupling operation of a -Q^n 45 
calculator shown in FIG. 38 (also see FIO. 24). Signal 
lines 152i to 1528 equally divides n (512 bits) into eight 
by steps of 64 biu, and apply them to the — (^n««&ula- 
tor from the side of the high-order position. Signal lines 
153t to 1538 equally divide inverted signals of the re- SO 
spective bits of n into eight by steps of 64 bits and apply 
then from the side of the high-order position. Signal 
lines 154i to 154? apply high-order four bits of the sig- 
nals on the signal lines 1522 to 1528, respectively. A 
signal line lS4(appUes a signal "HNMXT. Signal lines 155| 55 
to 1557 apply high*order four bits of the signals on the 
signal lines 1532 to 1538. A signal line 1558 applies a 
signal **0000" when the signal TAIL from a signal line 
156 (sec HO. 24) is "r\ As a result of this, the ANDing 
of — Q/" and n can be performed. The number of signifi- 60 
cant digiu for the operation — Cy'Xn is 514 from the 
low-order end, and 515th and higher-order bits are 
selected but this does not matter for the reasons al- 
ready given. 

FIG. 47 is explanatory of the coupling operation of 65 
the register 170 shown in FIO. 40. The registers 170£.i 
to 170xj serve as a S14-bit register as a whole in the 
same manner as described previously in respect of FIG. 



44. When the signal CTIO is "1**, signals of the registers 
170^1 to 17018 ftre provided, as they are, on signal lines 
171li to 171ls* When the signal CTlO is *tr, signah 
resulting from shifting of the registers llOu to 170/^ to 
the high-order side by four bits are provided on the 
output signal lines 171ti to 17l£j. As a result of this, 
since values of i.i and R/+ i,o Are stored in the regis- 
ters 170^, and 170/1, respectively. 2*-R/> ij and 2*-Ry-Ki,o 
are provided on the signal lines 17l£, and 171jt, respec- 
tively, when the signal CTIO is "^O** and, when the signal 
CnO is "1", R/+!.i and R;+i^ are provided on the 
signal lines ]7l£ and 171/t. The condition CT10=0 
permits the addition in £q. (20) and the condition 
CT=1 permits the addition in Eq. (23). 

FIG. 48 is explanatory of the coupling operation of a 
carry detector 190 shown in FIG. 42. Arrows 191 1 to 
1918 indicate signal values on output signal lines 66t to 
668 of the carry detectors 190i to 1908, respectively. 

CONTROLLER 

FIG. 49 shows the general arrangement of the con- 
troller 8, which comprises first to fifth controllers 
(CTLl), 230, (CTL2) 250, (CTL3) 260, (CTL4) 270, 
(CTL5) 280 and other related circuits. From an input 
signal line 203 are applied a signal CLOCK to all the 
controllers 230 to 280, the signals e-in, n-in and START 
to the first controller 230 and the signal C-out to the 
fifth controller 280. From an input signal line 205 is 
applied a signal CARRYEND to the fourth controller 
270, and from an input signal line 206 is 8|>plied a signal 
SIGN to the fourth controller 270. On an output signal 
line 204 are provided signals CT2 and n-cnd from the 
first controller 230 and the signal CRYTT-end from the 
second controller 250. On an output signal line 220 of 
the fourth controller 270 is provided therefrom the 
signal CTIO. On an output signal line 221 of the third 
controller 260 is provided therefrom the signal EXP- 
SEL. On an output signal line 227 connected to all the 
controllers are provided thereon the signals CTl to 
CT12. An output signal line 251 of the second control- 
ler 250 transmits a signal SFTl to an OR circuit 800, an 
output signal line 252 transmits the ugnal CT5 to the 
third controller 260 and the signal line 227, and an out- 
put signal line 253 transmits a signal es-end to the third 
controller 260, The third controUer 260 applies the 
signal CT7 via an output signal line 263 to the fourth 
controller 270 and the signal line 227. The fourth con- 
troller 270 applies a signal MDEND via an output sig- 
nal line 264 to the third controller 260 and a delay cir- 
cuit 801. From the signal line 18 is supplied e/ in the 
variable e to the second controller 250. 

FIGS. SO A I to SOU I and correspondingly continued 
FIGS. 50A2 to 5OU2 show wav efon ns of the signals 
CLOCK, e-in, dl, CT2, n4n, CT3, n-end, START, 
CT4, MDEND, CT5. SFTl, es-cnd, CT6, CTT. 
MDEND, e-out. CTll. CTtZ and CRYPT-end which 
occur at respective parts of the controller of FIO. 49 
while in operation. 

Next, a description will be given, with reference to 
FIG. 50, of the operation of the controller 8 shown in 
FIG. 49. The controller 8 inputs thereinto and outpuu 
therefrom signals for controlling the operation CmM* 
mod n in the following manner: The signal CLOCK of 
the cryptosystem is always applied to the controller 8. 
Upon application of the signal e-in at a moment ti, the 
first controUer 230 o utput s therefrom the variable e 
input command signal CTl, by which the variable e is 
input bit by bit by 512 clocks. Upon completion of this. 
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the flm controller 230 outpuU, at that monient 1% the CTU instructing that the variable C be output by steps 
signal cm representing the completion of the input of of four bits by 128 clocks, and the signal CTll rcpre- 
the variable e. senting the period for which the signal CT12 is vialid 

Next, upon q>plication of the signal n-in at a moment remains at 1 during the above operation, 
tj, the first controller 230 yields the variable n input 5 In this way, the contrcAler 8 ii^uts therein and out- 
command signal CT3, inputting the variable n by steps puts therefrom signals for oontrollmg a series of calcula* 
of four bits by 128 clocks. Upon completion of this, the dons for inputting the variables e, n and M, executing 
first controller 230 yieWs the signal n-end representing the operation C»M' mod n and outputting the variable 
the completion of the input of the variable n at that c. 

moment t4. 10 Yhe following will describe details of operations of 

Next, when the signal START is applied at a moment the signals CARRYEND and SIGN and specific ar- 
ts, the first controUer 230 outputs a variable M input rangements of the contfollers 230, 250, 260, 270 and 280. 
command signal CT4 commanding to input the variable pic. 51 illustrates a specific example of the first con- 
M by steps of four bits by 128 clocks. Upon completion troUer (CTLl) 230 and FIGS. S2A to S2J show the 
of the input of the variable M, the controller 230 yields 15 waveforms of signals which occur at respective parts of 
the signal MDEND representing the end of the input of the first controller 230 whfle in operation, the wave- 
the variable M at that niOTicnt te^t Ae same time, the ^ ^^^i, corresponding signal names on 

controller 230 yields the signal CT5 for inttializmg the left-band side 

registeis (FIG. 1^ wtthin the wyptosystera prior to ^ ^ 231 is input via 

starting the operaUonC«M« mod n. , ^ a deUiy circuit 805 to a fUp^op 80i5, the output from the 

N«ct, the second contioDcr 250 generates the signal jjj ^ 806 goes to a 1 to open a gate 807. Then the 
SFTlby which the content of the e-register 102 having ^LOCK on the signal Ime 240 u> appUed via the 

Stored Aerein the variable e is circutoriy shiftedto left g^te 807 to a counter 808 for counting andTat the same 
bit by bit, and outpute Uus sigmU as the ««nal CIl via ^ . to a gate 809 to output therefrom a 

thcORcjrcurt800startog 25 ^ ^1^ an outiit signal line 234. Hie signal 

the signal CTl is provided as clock pulses of the same ^7 aSi mr?^ 

number as the number of Os on the higher^rder ride of ^^^^'^'2^2^ ^ SnZ^ ^^TH^^T 
the variable e represented by 512 bits. When the most VJ^^^ ^^^^^^ f 
ui* nJ^nx <ti k;» - k-*. counter 808 reaches 512, the gate 809 is closed. That 

sigmficantbit(M5B)ofthe5l2-bit-widee-registerhav- . c4»««ie of r^^' or*^«««5^ Cnr»w /«.if 
ing Stored therein the variable e becomes after re- 30 f]^ . genmtcd. Further^ out- 

pTating such circular left shifting bit by bit. the second P"^ ^fST ^ ^ ^ » 

controller 250 yields the signal es^d representing ™ » provided on a 

completionofthesignalSFTlatamomenttg. Then. the fS^^^'f ^Jl** «gnal CO is output from a si^al 
following various signals are produced for executing ^ *>y.^^,«=^?<=*^,«f^^^'<* » 

the steps 2a and 2b of the exponentiation procedure 35 <>« * ^ When the si^ Cn and 

Upon outputting the signal es-end, the third control- generated, a gate 814 is opened, 

ler 260 generates the signal CT6 for preparing the start Next when the ngnal START is applied to the gate 814 
of the operation for the multiplication-division from a signal Imc 233, the sign^ CT4 is ri^^ 
R»Mi XM2 mod n first and then yields the signal CT7 » ^ " "JOW^^^™™ with 

indicating the operation.- By this, all the main adders 40 clocks by means of a fl^>41op W5, gates 816 and 818 and 
110 J to 110s of the sliced sections 25| to 25s respectively » counter 817, after which the signal MEND is sent on 
execute the multiplication^vision R-iMi X M2 mod n. * Une 237. In this way, the fir« contioUer 230 
Upon reception of the signal MDEND indicating the controb mputting of the variables e, n and M. 
completion of this multiplication-division at a moment ^ illustrates a ^>ectfic example of the second 

t9, the signal CT7 from the third controller 260 is made 45 controller (CTL2) 250 and FIGS. 54A to 540 show 
a 0. The signal CARRYEND on the sgnal line 205 and waveforms whidi occur at respective partt of the 

4 he signal SIGN on the signal line 206 are utflized dur- second oontroMer 250 while in operation. When the 
Qg execution of the muliiplication-division. This wiU be signal MEND is applied via die agnal line 237 from the 
described later in detail Upon each compledon of the fi^t controller 230, the signal CTS is provided cm a 
multiplication-division, the signals CT6 and SFTl are 50 signal line 252 from a gate 820 for the delay time of a 
output to repeatedly perform the operation delay drciut 819. Further, while the signal MEND is 
CvMi X M2 mod Q. Bat when e; of the variable e shifted applied and the ^gnal a from a signal Une 256 remains at 
into the most significant bit (MSB) of the e-regtster is * 0. gates 821 and 822 are opened to permit the passage 
-r onroediatdyafler the execution of the step 2a of the therethrough of the signal CLOCK* which is provided 
exponentiation procedure, the signal SFTl is "0". The 55 as the signal SFTl on a signal line 251 via an OR circuit 
signal CT7 is output as a signal indicating the periods of 823. By the signal SFTl the e-register 102 in FIG, 15 is 
eicecution of the steps 2a and 2b of the exponentiation shifted to left When the most significant bit of the e- 
prooedure. During execution of the multiplicatton-divi- register 102 of the sliced section 25t goes to a 1, the 
sion, the signal EXP-SEL commanding switching of the si^ial ey from the signal line 256 also goes to a 1 to cause 
selectors 106j to 1068 >s provided on the signal line 221. 60 a Q output of a flip-flop 824 to go to a 1, opening a gate 
Here, \ii^en the value of the signal EXP-SEL is 0, the 825 and ou^utting the signal es-end via a gate 826 on a 
Step 2a of the exponentiation procedure is executed and, signal line 253. Thereafter, upon each ^plication of the 
when the signal EX-SEL is 1, the step 2b is executed. signal S FT2 from a signal hne 254^ it is output as the 
Upon completion of the exponentiation, the signal signal SFTl via the gate 825 and the OR circuit 823. 
CRYFT-end is derived from the second controller 250. 65 The outpntt ton the OR circuit 823, that ts» the signals 
Upon inputting the signal Cout commanding to SFTl are counted by a counter 827, which provides the 
bring out the variable C from the cryptosystem at a dgnal CRYFT*end on a signal line 255 when having 
moment tjoi the fifth conUoUer 280 ouq[>uts the signal counted 512 after inputting of the ssgmJ CTS. 
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In this way, when supptied with the signal MEND executed. These procedures are repeated until i reaches 

representing completion of inputting the variable M. the 0. Since the gate 837 is closed when the signal CRYPT- 

second controller 250 performs control of circulariy end is applied via the signal line 255 from the second 

shifting the content of the e-rcgisicr to left until its most controller 250, even if the signal MDEND is applied, 

significant bit goes to a 1, yielding the signal SFTl for 5 the signal CT6 is not generated as indicated at a moment 

a circular shift of the e-register left one bit position upon t6. 

each application of the signal SFTl and outputting the Thus, in the exponentiation procedure, after the caJ- 

signal CRYPT-end after the circular shift of the e-regis- culation of the step 2 has been controlled, that is. after 

ter left a total of 512 bit positions, i.e. after one circular the variable e has been made eA, ej^-i, . . . et, eo in the 

shift cycle of the e-register. 10 binary represenution, the steps 2a and 2b are executed 

FIG. 55 illustrates a specific example of the third in the order ts=k, k— 1, . . . 1, 0. 
controller (CT3) 260 in FIG. 49, and FIGS. 56A to S€H FIG. 57 iUustrates a specific example of the fourth 
show, by way of example, signal waveforms which controller (CTL4) 270 shown in FIO. 49, and FIGS, 
occur at respective parts of the third controller 260 SSA to 58H show, by way of example, signal wave- 
while in operation. 13 forms which occur at respective parts of the fourth 

Upon application of the signal CT5 via the signal line controller 270 while operation. Upon application of the 
252 from the second controller 250, flip-flops 828, 829, signal CT7 via the signal line 263 from the third control- 
830 and 831 are cleared. Upon application of the signal ler 260, the signal CT8 is provided on a signal line 271 
es-end via the signal line 253 from the second controller from a gate 840. By the si^ial CT8, a counter 841 and a 
250, the signal CT6 b provided via an OR circuit 832 on 20 flip-flop 842 are cleared, and counters 276 and 2 77 are 
a signal line 261 and the flip-flop 831 is triggered via an cleared via an OR circuit 843. By the ngnal CT7, a gate 
OR circuit 833, providing a Q output of the flip-flop 831 344 opened, through which the signal CLOCK from 
as the signal CT7 on a signal line 263. The opmtion the signal line 240 is applied to the counter 841 for 
R8SM1XM2 mod n is started and, upon completion of counting and, at the same time, the signal CT9 is pro- 
this calculation, the signal MDEND is input via a signal 23 vided via a gate 845 on a signal line 272. When the 
line 264 from the fourth controller 270, for example, at counter 841 has counted the signal CLOCK up to 128, 
a moment ti- The signal MDEND is applied via the OR the gate 845 is closed by the output from the counter 
circuit 833 to the flip-flop 831 to trigger it. causing the 841 to stop sending out of the signal CT9 but, on the 
agnal CT7 to go from a 1 to a 0. The signal er on the other hand, a gate 846 is opened, permitting the count- 
signal line 256 and the Q output of the flip-flop 828 are 30 ers 276 and 277 to start counting the signal CLOCK at 
provided to a NOT EXCLUSIVE OR 834, and its ^ moment t|. At the moment ti successive calculations 
output and the signal MDEND are provided to an ^ R,=M|XM2 rood n is completed and R|SO is 
AND gate 835, so that if the ugnal e/ b a 1 when the checked in Eq. (22). In the case where the signal CAR- 
signal MDEND is applied at the moment ti, the output ryeND U at a 0 on a signal line 275 when the counter 
from the NOT EXCLUSIVE OR 834 » a 0 and the 35 226 has counted the signal CLOCK up to two after the 
output from the AND gate 835 remains at a 0, resulting moment t|, a gate 847 remains closed and. at a moment 
in the signal SFT2 bemg not output on the signal hne ^^e^ j^e counter 277 has counted the signal CLOCK 
*^ ? 12. Moreover, since the signal ^ ^^tput from the counter 277 is applied via 
MDEND, the sigjal ^ on the signd hne 256 and an Q ^jj^cuit 848 to a gate 849, by the output of which 
output of the flip-flop 8M are provided to an AND gate 40 ^ ,51 ^ ^ for a flxed period of Ume. 
836, the Q output from the flip-flop 828 goes to a 1 m the ^^is moment tj, the sigmil SIGN on a signal Une 274, 
case where the signal e,- is at a 1 at the time of applica- ^^^^ jj^^ of . 
tion of the signal MDEND. Furthermore, the signal ' 
MDEND at the moment ti passes through the flip-flops 
829 and 830, thereafter being sent as the signal CT6 via 4S R| « 1 
a gate 837 and the OR circuit 832 on the signal line 261 
at a moment t3. The output from the flip-flop 830 is 

provided via a gate 838 and the OR circuit 833 to the « E<1- (22). is checked. When the signal SIGN is I, that 
flip-flop 831 to trigger it, generating the signal CT7 at a when Ri <0, the signal CTIO is sent on a signal line 
moment t4. Consequently, the operation R«M|XM2 30 275 via the gate 851. By this, the compensating calcuUi- 
mod n is resumed; namely, the step 2b is executed. tion of Eq. (23) is performed At this time, the counters 
When the signal MDEND u applied again at a moment 276 and 277 are cleared by the output of the gate 849 via 
t5, the same operations as described above are carried the OR circuit 843 but, at a moment t4 of completion of 
out but, in the case where the signal e/ is at a 1, the this clearing, the counters 276 and 277 start counting 
output from the circuit 834 goes to a 1, yielding the 55 again. At a moment ts when the counter 276 has 
signal SFT2 as shown at the moment t6. In the case counted the signal CLOCK up to two, the gate 847 b 
where the signal q is at a 0 when the signal MDEND opened and if the signal CARRYEND on the signal line 
occurs at the moment ti, however, the output from the 275 is I, the output of the gate 847 is provided via the 
circuit 834 goes to a 1 to generate the signal SFT2 and, OR circuit 848 to the gate 849 and, by the output of the 
by the next signal CT7, the step 2a is executed. At this 60 gate 849, the gates 850 and 851 are opened at t6t check- 
time, the Q output of the flip-flop 828 is made a 0. ing the signal SIGN, that is. the sign of Ri. At this time. 
Thus, in the exponentiation procedure, if the condi- when the signal SIGN is at a I, the signal CTIO is out- 
tion e/=0 hc^ds immediately after the step 2a, then the put at the moment t«. Similarly, the compensating cal- 
content of the e-register 102 is shifted one bit position culation of Eq. (23) is performed and then, at a moment 
and an operation i^-i— 1 is performed; if e/» I immedi- 65 t? when the gates 850 and 851 are opened, if the signal 
ately after the completion of the step 2a, then the step 2b SIGN is at a 0, the signal MDEND is provided from the 
is executed and the content of e register 102 is shifted gate 850 on a signal line 264. By this signal MDEND. 
one bit position, thereafter the operation i<»-i— 1 is the signal CT7 is made a 0 as described previously in 
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respect oTFIO. 55. The signal CT7 is a signal that holds When the signal CTIO on the signal line 300 has a 

a 1 during the operation Rs^MpMjmod n. Further, a Q value \, that is, when the compensating calculation of 

output of the flip-flop 842 is caused by the signal Eq. (22) is executed, input signal line 306 and 306 of the 

MDEND to go to a 1, and a gate 852 is opened, through selectors 301 and 302 are selected, that is, the value of 
which the supply of the signal CLOCK to the counters 5 the variable Ry+u ^ selected. In the quotient calcula- 

276 and 277 is continued, preventing occurrence of the tion post-processing section 61 shown in FIG. 8, the 

signal CnO while the signal CH is at a 0. selector 83 selects the output of a circuit 753 by the 

In this way, the compensating calculation for the signal CTIO and Q/"«> — l is provided via the signal line 

multiplications and divisions in Eqs. (22) to (24) can be 22 to the — C^n calculator 150 in FIG. 22. Furthermore, 
controlled. FIG. 59 Olustrates a specific example of the ^0 ^s shown in FIG. 15, an AND gate 136 is supplied with 

fifth controller 280 shown in FIG. 49 and FIGS. 60A to an inverted signal of the signal CTIO, and hence is 

60D show sigxul waveforms which occur at respective closed, and the output of the M2^egister 105 is not 

parts of the controller 280 while in operation. Upon provided on the sigmd line lOSj^. And, the value of the 

application of the signal CRYPT-cnd via a signal line signal on the signal line 105/^ that is, the value 

282 from the second controller 250, a gate 853 is opened 84(/-).(./*2'0==0, 1»2, 3)of thesignal M-SIGonasignal 

by the signal CRYFT-end. If the nffol C-out is input line 21 in FIG. 6, namely, M2/ becomes 0 and, as a 

from a signal line 281 in this state, a flip-flop 854 is result of this, Eq. (23) is calculated in the adder 160. 

driven via the gate 853 and its Q output goes to a 1, This compensating calculation can be changed as 

which is output as the signal CTll on a signal line 283 follows: 
viaagate855. And, by the output of the flip-flop 854, a ^ 

gate 856 b opened and the sigiud CLOCK on the signal 1 

line 240 is counted by a counter 857. At the same time, ^ • *"i*o 
the signal CT12' is provided vb a gate 858 on a signal 

line 284, and output as the signal CT12 via the OR ^ ^ „_ ^ ^ 

circuit in FIG. 49, and the calculation result in the C- ^ SfpT :ifRi & a tbcsDioMp 



register 104 is output from the cryptosystem. When the \mek%omn T 
counter 857 has counted up to 128, the gates 855 and 

858 are both closed, stopping the both signals CTll and Step a* : R R|. HalL (24*) 

cm-. ,5 

After the operation CaBM'rood n has thus been com- The compensating calculation by Eqs. (22") to (24*) 

pleted, the variable C of 512 bits can be output from the can be implemented, for instance, as shown in FIG. 61. 

cryptosystem by steps of four bits by 128 clocks. Tbe outputs R/-*-!.! and R/+i^of the registers 170/, and 

In the quotient calculation pre-processing section 60 ITO/t are respectively applied via signal lines 313 and 

shown in FIG. 7, n (p^^<n<2^^^) is input and v is 35 314 to the selectors 311 and 312 at one input thereof 

obuined by Eq. (15), i.e. v<«-^2l^-r[n>2-^I]. A supple- and, at the same time, the register outputs are respec* 

mentary description win be given of the size of ROM 68 tively shifted by the circuits 861 and 862 to the left by 

of the pre-processing section 60. The address of ROM four bit positions and supplied to the adder 160. High- 

68 can be represented by a positive integer of ei^-bit order 66 lines of the signal line 308 are connected as a 

width based on the condition 2'<[n-2-»<l<2«. Since 40 signal line 315 to the other input of thesdector31L The 

2*^ or less addresses are not used, however, the size of signal line 309 is added with high-order two biu and 

ROM 68 may be one-half of that of ROM having 2? or connected as a signal line 316 to the other input of the 

less addresses. The value of v can be represented by a selector 312. The number of Imes of the output signal 

positive integer of six-tnt width based on the condition line 116 is not 64 but increased to 66 and this output is 

2^<v<26. Bat the most ngniflcant bit (MSB) of v is 45 input to the register 104 shown in FIG. 15, from which 

always 1 and this value is fixed, so that the value of v it is input via the signal Ime 114 to the main adder 110, 

except for the ^1" of the most significant bit is stored in so that the mput signal line 114 is composed of 66 and 

ROM 68 using five bits and, when to refer to the value three lines. 

of v, one bit having a value "1** is added as the most While the signal CTIO assumes a value 0, that is, 

significant bit of V by an inverter 859. It is also possible, 50 while the repetitive calculations Eqs. (7) to (12) and 

of course, to arrange the pre-processing section 60 so (21*) are executed, the sdectors 311 and 312 select the 

that the ROM itself inputs therein n ctf eight bits and signal lines 313 and 314, whereby Eq. (22*) is correctly 

outputs therefrom v of six bits. calculated. 

COMPEN<5ATiT4rt rAi OTH AXTrtM ^ ^® assumes a value 1, the signal 

COMPENSATING CALCULATION 3^ ^ ^ ^ 

The calculations of Eqs. (20) and (21) are repeated signals R| and n from the selectors 311 and 312 an 
aiui it is checked whether a compensatug calculation is added. As a result of this, Eq. (230 » corrttctly corn- 
required in Eq. (22), and if necessary, the compensating puted. The value of the eight«divided stgna) R] on the 
calculation is performed. A description wOl be given, ouq>ut signal line 116 of the mam adder 110' is provided 
with reference to FIG. 22, of the compensating calcula* 60 to the si^ul line 308 shown in FIG. 61 via the register 
tion. In the period during which the value of the signal 104 and the signal line 114 shown m FIG. IS. In othff 
CnO on a signal line 300 holds zero, that is, in the words, the values eight-divided from signiOs Rt and n 
period in which mainly the operations of Eqs. (17) to are obtamed on the signal Imes 315 and 316^ respeo- 
(22) are performed, input signal lines 303 and 304 of the tively, in consequence of which the calculation 
selectors 301 and 302 are sdccted and the value of the 65 R|^R|+n, ie Eq, (Sa*) is correctly performed. Hcf^ 
variable R/^- u is shifted left four bit positions m each of the value eight-divided from the signal n represenu 64 
circuits 861 and 862, selecUng value 2*.Ry+|^ necessary bits obtained by dividing the variable n of S124iit width 
for calculating Eq. (20). equally into eight The values of the eight-divided sig- 
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nal R| represent eight groups of bits obtained by divid- NUMERICAL EXPRESSION OF THE 

ing the 5 144>it-width variable R| into a group of 66 bits PRINCIPLE OF THE MULTIPLIER-DIVIDER, 

and seven 64-bii groups (i.e. 514=66+64x 7). In this PRINCIPLE PART OF THE 

case, since the adder 160 is not used for the compensat- ^ CRYPTOSYSTEM OF THE PRESENT 

ing calculation, the circuit 753, the selector 83 and the INVENTION 

signal line 20 in FIG. 8 are unnecessary, and the signal i-x ^ u 

Une 82 is connected directly to the signal line 22. Fur- The principle of obtaining the quotient Q and the 

thcrraorc, the gate 136 in HG. 15 is also unnecessary remainder R of a multiplicanon^ivision of integers 

and the four output signal lines of the M2-register 105 ,o (MiXM2)-^-n is shown as a theorem and a system of 

are connected directly to the signal line 105t. Besides, theorem by numencal expressions. 

the C-rcgistcr 104 in FIG. 15 is made 66-bit-wide, not Theorem 

64-bit-wide and, in the coupling of the registers 104| to . ^ ^ *u • ^„ i» «r «»u: 

1048showninFIG.33,theregister 104isconstitutedas quotient Q «ul the ^^^"'^er R of tte m^^^ 

a 514.bit-wide register based on the calculation 15 P^!^'^"'?*^^^^^^^^ 

512+2=514 as is the case with FIG. 44. described hcremafter by Eqs. (F20) to (F22) 

DUi-A 51* asis uic c«c un ixj obtained by repeatmg recurrence 

MODIFICATION OF -Qrn CALCULATOR formulae of Eqs. (F14) to (F19) in an order j^l, 1— I, . 

A description will be given of the main point of an- • • » 2^ 1 on the premise of Eqs. (Fl) to (F13). Here. Eq. 

other example of the -Q^n calculator 150 shown in ^0 (FIT) repr««mts the nmge over which V » obUinable 

FIG, 22. |<J"| is represemed as a binary number with Eq. (FIQ and Eq. (F18) mdica^ the method of 

, X, I i. ^ calculation of Rjl In the equations, n. Mi, M2. Ry+ 1 and 

Ryare variables, m. K, A, X, 01, S, ti, and t2 constants and 

? H^.2*»,whefehS3,«iidUbaivenby „ ay a random number the value of which irregularly 

M-o varies as the value of j is changed, ti and ta being real 

IQ"I - Oil + Q* + Q* (E-i) numbers and the others being integers. Incidentally, 

I y I vc^i wjc naturally occurs, there is no need of taking it 

where into account when forming adders. This means that o/ 

... ^^^10 ™*y be neglected, for example, in Eq. (]P\6). 

- H2*. 2" + 2Htt-, . 2»-» (E-2) ^ multiplication-division (MiXMjO-r-n' is per- 

h_| formed with M2'«»MjX2 and n'—nX2 so as to Obtain 

qnfr - El • + "'f* • 2^ -i- the quotient Q and the remainder R of the multiplica- 

2H2^-i '2*»'->} tion-division (MiXM2)-^a, the least significant bit 60* 

3S of M2' is always 0, so that it is not a difficult condition 

q/t « -Hi • 2) -I- Ho (E-4) to cause Eq. (F13) to hold when I. However, since 

R ^ [R2 -^2] and Q =Q2 hold for the quotient Q2 and the 

For instance, in the case where | Q/" | = 1 101 1, remainder R2 of (M| X M2')^n', the least signiHcant bit 

of R2 is unnecessary for R. 

« 2^ » -2^, Q>f - - 1 ^ The addition of Eq. {F18) is applied to the case of 

using a carry save type adder, but this addition can also 
With such a representation, | Qj" | ^n requires 5 X 66 bits be performed using a carry propagation adder, with 
if Q/' is represented as a mere binary number but, if Qidt a/»0 and A 1= 1. In the following, a constant may some- 
Q^and Q/^are used, 3 x 66 bits are sufficient for 2^, — 2^ times be called a parameter, 
and — 1, so that 2 X 66 bits become unnecessary, permit- 
ting the reduction of the number of inputs to the carry ^ (Ft) 
save adder 160 shown in FIG. 22. FIG. 62 illustrates, by * ^ 2'"'*'* ^il 
way of example, the circuit arrangement Uierefor corre- 
sponding to that depicted in FIG. 24. In FIG. 62, Q/a, 50 ° * *V« ^ (F2) 
Q/A and generators 502, 503 and 504 respectively mt'Sf!!\ , (F4) 
input therein Q/" from the signal line 134 and compute x «> 1. 2,*. . . (PS) 
and Qc of the logic shown in FIGS. 63, 64 and »«Oorl (F6> 
65, thereafter outputting the calculation results. For 

example, in FIG. 63, a colunm 2* of D^IG input indi- 55 _2* + 1 + • + 1 a s a 2*+' - 

cates the digit position of 2*of \Q/'\ represented as a a -T- 2«'*- (I2 + i) 

binary number. The same b true of 23. 2^, 2'^ —2^ and l| - [2^^ * t| + 21 fi I 

— 2^ in the column of output indicate output termmals and h - V^*^ + 2^ • 12] fi 0 
of the Q/o generator 502 and are caused to have a I. 0 in ^ 

the column of ouq>ut indicates that the signal value at (F8) 

the output terminal is at a 0. For instance, in the case 2'"+» - nti + ii • 2" a s • 2* a nu - c*2* - (I2 + 1)2" 
where q* 2^ and 2^ in a colunm of input are 0, I and t, 

it indicates that a signal at the output terminal 2' is ^ ,x ^ zi^i 

caused to have a I. As a result of this, the quantity of 55 - ^2^ - «»a • 2 + i>x (fw) 

data representing — Q/"*" decreased, permitting re- 1 *(j_i>x ^'^"^ 

duction of the circuit scale of the carry storage type Mj « ^ 1^ My - 2w 
adder 160. 
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adder for the addition of Eq. (Fl 8) means that the appli- 
cation of the corollary 1 b meaningless. 



u-i . 



So 0 ImI when m « 1 
Rl+i-0 



-A • B • 2-* - M • n 4 c*8jg^ • Mi S 
R/4 1 S D + t] • n -f «*8/x • Ml 

V 



(FIJ) 



ly . PC + [b . J-'TJ 

1^ . PC -t- {a • 2"*T1 



(FI9) 



(FI3) 
(FM) 



f{ia^IV+l)2-"1 + 1<M| . Mi^-- 1 + S + a/ - 



Corollary 2 

Eqs. (F30) and (F31), but Eq. (F\€) can be obtained 
<FI3) )o ffQiQ £qs, (P32) to (F34) on the premise that w is an 
integer. In this case, however, Eqs. (F8X (F18), (F19) 
and (F21) become (FS)", (FlSr, (F19)" and {F21)", 
^^^^ respectively. 



2^.R^I + M, .Mi^- lyn- 

(S + A + (l2 + 0) • 2- + • • fitf-IA • 
(M|.2-"J.2"SR/ 



(FIT) 
(FIS) 



IS 



ii ar 
02 + I) a 2» 



20 



< B + a " S + I|)2« + «> • 6(/-iyi * (Ml * 2-"l • 2" 



(FI9) 



_,rtx.v.2 

LPC.V.2 



(F30) 
(F3I) 

(F32) 



. pf*+»+»>+(ii .2- 



■T! 



forX < 0 



Q- i I*.2V-<M-« 

J-1 



2 liar Ri < -n 
1 for S Ri < 0 
B m OforOaR|<n 

-I fori a R| a 2a 
-2 form a R| <)n 



(F20) 
(F21) 
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Corcdlary of Theorem 

CoToDaries of the theorem will be given below on the 
assumption that the range of application of the theorem 
is extended. Here, a combination of corollaries 2 and 3 40 
is impossible but a desired combination of other corol- 
laries is possible; for example, corollaries 1, 2, 4 and 5 
can be applied at the same time. Next, abridged nota- 
tions X and X' and a random number fij, u^iich irregu- 
laiiy changes its value with variations in j, are defined 4S 
by the following equations: 



- {S + A H- (Is -I- l)}2*' + m . atf-i»iM| • 2-**) ■ 
2«-iiaR;<n-f(2-S-|-Ii)-2'>*-4-«- 
Stf-DUMi - 2—1-2- 

2"+> - n . ti + It < 2« a S - 2" a ti . n - » . 2" . 
02+ l).2"-n 

R/-2^.lV+i + Mi.Mi^-0;+«r>P 
Q-.i^0y+«;)-2('-'>^-d 



3 for R|< -2n 
2 for -2a a R|< -a 
1 far -n a R|< 0 
OfarOaR|<B 
-1 forn a Ri < 2a 
-2 for 2a a Ri< 3a 



8- 



(F33) 
<F34) 

O^I?)- 



0^ 

0=21)- 



X - C(J^ . R/+l)l""l + [(Ml . Mi/2 
4V-«-&V-l)l^[M|-2-">] 



That is, a unit of 1/ is used instead of 1/ 
Corollary 3 

. Instead of Eq. (Fl£) for calculating I/can be ob- 

«i e *^^F23^ tained from Eqs. (F35) and (F36). In this case, however, 

1 + S + \ ^ pygj ^ jpj^j ^ jp^, ^pgy ^ 

SO (F19)', respectively. 



X' - [{2^ . R/+i.i)2-*l + K2^ • R/+ij6a-"n+ 



(F24) 



53 



R^4j-R^U + R/+W) 
MiMi^. 



0^) 
0^) 



60 



Jr+[(-/>i.2-«ifco 


0^5) 


X+K-I/-I)o.2-"1<0 


<F36) 


-2*+ 1 -f «a5 a2*+ " - J -2« 




1 -ii^as2*a/i^-»*2" 




-(S+-0.2«+»^« DjJAf j.2-*J2"aJly 




<ji+(2-S)2"+i«tf-l)ji*'l*2~"T2" 





S* • S 0/ 

oa^a t 



(F27) 

0^ 



Corollary 4 

The quotient Q and the remainder R can be obtained, 
where ^ and iSty ace int^ers. letting the lower and upper limit values of y expressed 

Corollary I 65 by Eq. (FIT) be -I| + l if A-2-*+tiS0 and l2-2 if 

I/can be obtained with Eq. (F29) instead of Eq. (F16). t2^0, respectively. In this case, Ii in the theorem be- 
But when Eq. (F29) is used, S in the theorem is replaced comes I|-l and h becomes h— 2. 
with S'. Incidentally, the use of a carry propagation CDroUary 5 
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By obtaining R/ from Eq. (F18) using l/^lj^ljo' 
(where I^' = ± 1, ±2, . . . ) for lyobtained by Eq. (FJ6), 
the range of R/is given by Eq. (37). If this range of R/is 
included in the range of Kj^u then the theorem holds. 
When the corollary 5 is combined with the ooicllary 3, 
the range of Ry is given by Eq. (F38) and when com- 
bined with corollary 4, the range is given by Eq. (F39). 
When this corollary is combined with both of the corol- 
laries 3 and 4, the range of R/ is given by Eq. (F38). In 
the case where only one of the lower and upper limit 
values of ^ is used for the corollary 4, Ii^l and 
(l2+2)— 2 in Eq. (F39) respectively become Ii and 
(I3+I) corresponding to the lower and upper limit 
values. 
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forX', CO 
tor X'l < 0 



8/ » 0 or 1 



10 



((Ml . 6m-iHt, • IH)!—) + 26 + oy + ^1/ 



3 
Z 
M-0 



0 S a 4 



15 



-<S + A + (l2 + I))- 2" + 
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« • »y-J)XlMi . 2-"J • 2" - IjD • n S Ry < 
n + (2-S + I|).2« + «.«(,-|)xlM|.2-"].2«-I/>.D ^ 
_<S + A) . 2" + « ' a(/-i»JM| . 2-*l . (F38) 
2« - . o a Ry <n + (2 - S) . 2* + 

-•«V-l)UMf2*1.2«- l>o « ^ 

-<S + A + aa + 0 - 2)- 1*" + 

• - 8tf-l)XlMi . 2-"J •2**IjQ<naRy<n + 
(2_S + (I|- l))2*+«.«(/-|)xIMi'2— ].2--Iyo ii 



R/ - 2*. + Mi . M2y - i; • B - ft — fg- S Ry < n 

R « Rl + & • n 

Q- i ?.2*tf-»-« 



r2 tor R| < -n 
I « I ibr -n S R| 
I^OforRi SO 



<0 



SPECIFIC EXAMPLES OF EXPRESSIONS OF 
THEOREM AND COROLLARIES 



3S 



The following will show by way of example that the 
principle of the multiplier-divider could be expressed in 
various forms by suitable defmition of constants shown 
in the theorem and its corollaries. In the following, 
those expressions are omitted which would inevitably ^ . 
result from definitton of the constants. As regards those 
equations which would become easy to understand by 
changing their numerical expressions, they are repre- 
sented with their expression changed. 

EXAMPLE I 

This is an example in which the constants K, A, X, a», 
S, ti and t2, excepting n| arc K^?, A^ 1, Xs4. <tfs=0, 
S=26, tt= 185/12S an^2=0. The corollaries used are 
the corollary I, the corollary 2, where w^S, and the so 
corollary 4. 



m - <X I. 2, . . . 
0 S Mi< a 



where 



55 



EXAMPLE 2 

This is an example in which I] and I2 are determined 
using the corollary 4 and then the corollary 3 is applied. 
* (A) Precondition 

The constants R, X, », ti, iz and S» excepting m and 
A, are determined by the following equations. £ is a 
newly defined variable. 

/ce2 

JT-l 

f|-.2-* + » 

/j-0 
2(2^+5 
5-2 

(B) Calculations of the Constants 
By obtaining 1 1 and fusing the corollary 4, I| = ] and 
I2s2 are obtained* and — 1 ^IyS2 holds. 

Next«'4erming a variable which equate ly-hl, it 
follows that 0^0^^ 3. Here, since the corollary 4 is 
applied, for example, when Q/^4 is obtained, it is set 
that Q/«»3. 
Setting 



AT,, 



•2»», 



65 



m 



Q — n Si R^4.| < n 



the relation Mi*/— dy holds on the conditions o»aO, 
Xasi. Therefore, the following equations holds by the 
corollary 3: 

laily+lU—n+Ka/itflJl— 1+2+«y 
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-oontinaed 



1(2/1/+ iU-*n+K8/Jlf|)2-«l+2+cy 



Obutning the range ofR/from£q.(F19X the foDowtng ^ 
equation is obtained using S+A^2C: 



1^0 for /loft 



(H7) 



£q. (F18) becomes as follows: 

/l/-2ily+l+S/Wl+(l-/>ir 

Taking into account that I— 1, . 
becomes as follows: 

where 



^1 for /So < 
*^■^^Ofor/iot 



Mean valne is 2-*+€- 1 when S= I. 

EXAMPLE 3 

10 This is an example m which the corollaries 1, 2 and 4 
are employed and, when js 1, the corollary 5 is further 
used, and in which the constants K» A, X, S. ti, and 
t2, excepting are set as follows: K«ll, A»l, k^Z, 
o>=l, Ss4QS, ti«l + 1173/2048 and t2«l. Moreover. 
. l,0,Eq. (F20) thevalueofwinthecorollaiy2issetasw=sl0. 

«/•■ M 

m - a i. 2, . . . 
20 0 S iV|< ir 

Ari^-Mv-2».«v+%-i) 



25 



>^2- i. A'vJH^-^ 
/"I 



It will easily be understood that in the case otBy^ 1 
the expected value of | becomes 2-*-^<-i on the 
assumption that Ro is uniformly distributed in the sec- ^l. . 0 



" ^£0 ' **** « 0 or I 



- [a« • /i/+i,ija— I + (a« • /iy+ij»— 1 + 



(Q Summary of the Constants and Equations 35 

The following equation (H6} holds for R/ (w^iere 
j=q, q- 1, ... 1, 0) defined by the following equations 
(HI) to (H5) shown as equations summarizing the 
above, and the quotient Q and the remainder R of JI/+1 1 + Jli+uo- 
(Ml xM2)-r-n are given by the followmg equation (H7), 40 

where when 6,= ! and 3 holds at the same time, it J ^ ^ . ^.j^, + a^+v 2^ + + 



is regarded that £q. (H2) and (H3) hold. 



JT&l 
222^0/ 



45 0 5^/39 



...+a7y+i-2'- + av-2*^ 



[<2Ky+|).2-"| + [(Bf. Jiri>.2-«| + 



^^prj'. r.2-»JforXa' <0 

50 a/ - a I 

-403 S //S 766 

/?>-2«.iy+| + M|.«i^-/y.ji 



& 0 



to "«J).Ji.2— n + 2 + ayfc0 35 "SS"""*" *^-"t^""^""3'^*^i<" + ««(^-0X 



I(2/l;+l).2-T + {(S/MOS-*^ + 



(H3) 



K-Q^ • « • 2-«n -f 2 + < 0 
(H4) 



> Jl| + a-n 



2*-« 



(H5) o« i //.2«V-I)_a 
(H6) 8 «0tU2,3,OS/t| <« 



EXAMPLE 4 

65 This is an example in which ^e values of I1 and I2 are 
defmed usmg the corollary 4 and then the coroUarics 1 
and 4 are applied. 
(A) Precondition 
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At first, the constants are defined by the following 
equations, in which Qj" and Zy^are constants to be 
newly defined. 
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-continued 



Le. 



jr-X+2 

LwUie number of sigmficaBt digits^ 
12-0 



A two-output carry save adder is used. 
That is. Ass]. cy^Q, 1 



From Eq. (FIT), -2*+>^I/S2>'+<-Z 

Since Q/"=I/=V+6/, where 6/=0 or 1, the range 
of q/' is defined by -2^+lS(^"S2^+>. However, 
10 when Qf* obtained from Eq. (F32) b Q/' «— 2^+', then 
Q/' may be set as Q^" - 2^+ ^ + 1 and when Qf' = 2^-^ >, 
then Q^" may be set as Q/"«2*^+l— 1. As a result, the 
range of Qj" may be defmed as follows: 



IS 



5 S /t + 2 

Xj .jr 

-a 



But when obtained from Eq. (F32) is Q/"s=— 2^+', 
set q/"«-2^+i+l, and when C^"=2>^+», set 

20 (Q Summary of Calculation Method of Parameters 
At first L, X, 1, and are determined and then a set of 
integers n, S and u is obtained. 



fior « 0 
X/2for» • 1 



25 



^ - i/l- V-i)h+»i-2'^ror« «0 

2l#*+» + 2Ar|.«(^_l)X+a|i-2»»'forti- I 30 

(B) Calculation of the Constants 

1 1 and Iz obtained using the corollary 4 are as follows: 



/l-2^+<./j-2^+*-2 
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L«ihe aumber ofslfiiifkuK digiu (the number oT 
bits) 

X— the Icnfth of diviuoa of M} 
t-ecU {L+X} 
tfMOor 1 

2^+>+2SSa2^+2 
ue2X-|-4 



From Eq. (FX), -L=m+iC+l ' iii«L-X-3 where when tf«l, K is an even number, ccfl {x} indi- 

The range of S is obtained tiom Eqs. (FT) and (F8>. » minimum integer greater than x; for example. 

But the range of S is made smaller than that obtained by 40 ^15^ J^"^*. ^ _ . . . 
calculation and a> is eliminated. Ex«wt«on of Calculation 

(a) Preparation 

2^+*^.2asS2^+2 At first, n is input to obtain v. v=[2«-i-[n'2-«]] 

Next, M{ and Mj are input 
From Eqs- (F15) and (F19) the ranges of 1 and Ryare .5 (b) Repeated Calculation 

obtained. The following is simplified representation of The calculation method is shown below in the form 

of a program fiowchart 
Step 0: 



the ranges of R^^ 1 and using the condition 

Af|-IAf|.2-n2*+2'"^ 

where 

Oft«i,(ir|.2-«|.2"aji/i. 

-n+a*^.|)X*M|<R/<a+«»4(f-l»k-M| 

From the corollary 2, 



SO 



Step 1: 



/i a 2- ^ 

/! + 1 s 2" J » fc X + I 
^ ..v 2 2X 4 

I (jy-.r.2—ifof jf/<o 
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60 



Xj ^ (a^ . J . 2— n + 1(9^ . 2— n + 



5 + ay + ^/ 



65 



where -2''<Xf<V 
Step 2: 



fix-/. V. 2-1 + 

'^^^|^()ry.v.2-l 



I for X"/ ft 0 
for X-y < 0 



fiO 



where when <J^"«-2^+l, set <^"«_2^+<4-K when 
(y==2^+>, set Q/'«2^+"-l. 
Step 3: 
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|i.O 



Step 4: 

Whcnj=l, got0 8tep5. 

Then U go back to step 1. 
Step 5: Repeated Calculation ends. 

(c) Repeated Calculation 
Step 6: 



If Ri^O, then go to step 8. 
Step 7: 



Omitting low-order m bits on either side of Eq. (F71), 

R-i.r<[(2^+2^rn+«-«^2^M|P-T <F74) 

On the other hand* the following equation holds for the 
real number x/ and an integer ^ where 5^ is an integer. 



10 



15 



■Li.-]- 



(F73) 



y-0 



20 



Go back to step 6. 

Step 8: When Ri2a».n, R|4-R|-n R^t. Halt , 

EXAMPLES 

This is an example in which Ks=X+3 is set in place of 
K»X+2 in Example 4. The other conditions are the 
same as those in Example 4. Only differences between 
the two example are given below. 



0 S 74 S 4i - 1 (F76) 

When 6>^. applying Eq. (F75) to M] XEq. (FlO), 

nmO^lorl (F7S) 

' From Eq. (F9)xMa^ 

23 Oa((^|^2JW-'^<((*A/2J»-'^ (F79) 

From Eqs. (F77) and (F75>), 

M_«<«.„+«-,,_l+yj<i»+[(n*l2j}2-"l (FBI) 

^Next, substituting Eqs. (F67), (F68) and (F70) into Eq. 
(F16) 



30 



33 

The aforementioned embodiment of the present inven- V - f ^''"T Ijl*^ " ^''^'^'H 

tion is described in connection with the case where l»-2-"n J 

L-512, X«4, 1^128 and tf»0 and m«504, S«38 and 
us= 13 are adopted. 40 

Furthermore, it wQ] easily be seen that, by setting 
K=X+i'» i'=4, 5, . . . , such various expressions as 
described above in respect of Examines 4 and 5 can be 
obtained. 



Id. 2""] 

+ S + a;-a»-i.-| (-IjXn • 2— H IS 0 



VERIFICATION OF NUMERICAL 
EXPRESSIONS OF THE PRINaPLE OF THE ... <™> 
MULTIPLIER DIVIDER ^ tflf " ^"'^ - 0 • [d • 2-^ < o 

Verificaton of Theorem Preparation of Verification On the other hand, the following equation holds for the 
The following are defmitions of abridged numerical ^ integer I and the real number x: 
expressions: 

C/+x]->/+M (F84) 

(F67) 

Accordingly, removing the Gaussian symbols from the 
(F68) S3 both sides of Eqs. (F82) and (F83) and omitting the 
decimal point, Eqs. ^82) and (F83) become the follow* 
(P69) ing equations because R-mr S, CLf and »~m~\ are re* 
spectively integers. 



A.«-c(2Vji^i)2— n 

if-<„«l(V,.il/2y)2-*I 
oi_ip-I(-«»^;k2^Wl)2-*l 



._m-l-[(-^-|)X^l)2— n 



From Eq. (F15X 

-.4;«^-*+*-2^I^+ftMI^2^Afi 32^/^+1 
<2^+2S'«+<*»>k2*AI| 

Setting A«Jr-X-log2^. from Eq. (F3), 



(F7I) 



<-IX*2— D*0 (FB?r 

R_i.+M_«+S+o;-»_««l+K-V-lH»J"*' 
D<0 (FBjy 



65 However, the following equation holds for the integ^ I 
and the real number x>0» with P an integer. 



U-i)frB-K-/)*J+P 



<F»5) 
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(F98) becomes minimum when €i=Ot y2= 1 -hw. 73=0. 
where ay«0, P|«— Ii'. 

ispaotoriaoj ^' Accordingly, if Ii' is selected such that 

Ii'spH, +2]S 1, the condition of Eq. (F88) is satisfied 
TTic foUowing is assumed letting I,' and h' be integers by Eq. (F7) and resuhing in the following equa- 

as condition of I> ,^ holdmg: 

10 

oau (F«oi) 

Further, when Iy<-2Mi-2, the Eq. (F89) holds but 
-ir s -1 /f»ii Eq. (F90) does not hold. 

I2'60 J 15 ..-UV tF»02>. 

(A) When lj<0: Upper Umit Value of Ij (right side of Eq. (FIT)) 
^ (F85) to (F88) are applied to Eqs. (F82)' and ^ side/y-2X-^ > + 2X.r,i„ Eq. (F93), 
^^^^ • 20 it follows from 2*+i =2^+2^ that 

(-li)O'2-*)+Pia0 (FS9) «M J-^'^ 

ll_«+M«„+S+<V-«.^.,+K-V-«)n-2-'l- (F74)+Eq. (F8l)+Eq. (F103) 

P|<0 (PW) 2j 

.„.ap.aO <F9l) V < [2^. -H . + . .«>2^M.p-1 * <Ft04) 

(B) WhcnVSO: ^ -a. ,i m 
Tlje following equations are obtained in the same s + ay- ^.P2 + l(-2*^l-2*ll-2 tj- n>2"-i 

manner as described above. ^ whete 73 - 0, i or 2 (FI05) 

^7-|!ir2-'S^^ (F92) Eq. (F75) of the formula is applied to Eq. (F105) 

(«ly«l)n.2— 1+P2<0 (F93) " ^ 

74 + 7J • +S + ay + P: 

OfiPl^h'-f-l (F**> 

. . V < (Mv - X - l))B • 2-*J + 

Lower Limit Value of ly (left side of Eq. (FIT)) 40 ((-2ii)2— I + «i - 7* + y> • - + S + ay + Pj 

Using U for the left side of Eq. (F89) and substituting . 
with/y«-2^f|-.2, "^^"^ 

X _ ciaOor I (FI07) 

^'^''^ ^•^^^^ 74.aU2or3 (FI08) 

From Eq. (FT3)-J-Eq. (F88)+Eq. (F95), 73-aior2 • (Fnr 

((-«.2-*-2'^4,.«+-.«yK.2^M,>2-l+«-«+--. HowcvcT, [(-2n)2"'"]^ -2*+ « holds from Eq. (Fl) 

+^.«+s+<v— — t-i^-P|+tt2^»+l>»'2~"" M2^S(2^->), that is, [(M2^-(2^-l))n.2-'"]S0 

]2U holds from Eq. (F12). Since the right side of Eq. (F106) 

becomes maximum when €i = l, 74=0, 73=2, ayssA, 
Applying Eq. (FTS) to the above equations in the cases P2"il2' + It 
of <08O and <*:^ separately* 

55 V<-2*+» + l+2«+S+A4-i2'-»-l (FI09) 

m -2-*)ii'2-*+*2— n-72+73-«+S+oy+ P- 

Acooidingly, if I2' is selected such that 
0^ , ^p,7j l2'=[2^+ < +2*-f2]SO, then the condition of Eq. (F88) is 

satisfied by Eq. (FT) and, from Eq. (FT), the following 
-.[(i_2-*)i>.2-"1+l»*-2--n+<i-7j+73«#+S+- ^ equation holds with Ii'^h- 

cv+PiftU (P98) 

V<0 (FUG) 

where. 

On the other hand, when IyS2^+'+2M2, Eq. (F93) 
<i-Oor t <P99> 63 holds but Eq, (F92) does not. 

From Eq. (FT2), [(l-2-*)n-2-«1^0, and from Eq. MySla (FlU) 

(Fl) 2'^2(n-2-"']. Therefore, when the left side of Eq. 



^ rP|forI;< 
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Range of R/(Vcririaitioii of Eq, (F19)) Therefore, from Eq. (F8) 

£q.(F75) is applied to Eqs.(F89) and (F92) to sobsti- Rt^o (Fui) 

tute therein £q. (P18). 

5 . Set R/,»Qower limit value of Ry— lower limit value of 
ia^»-"1-y3+S+ii/-«.^_i+PtO (Fllli R^+i). 

where 

- -(S + A 4" 02 + 1)) • 2* + « djaJMi . 2-T . 2* + 
yi^^^o'^ <Fn3) 10 A.n.2-* + ti.n-«.6j(,Ml 

. . Rl « (- S . 2- + 1 1 . n - » . 2" - Oj + 1 ) • 2*) + 
, ^ (FIM) A . 2-Ha X 2-'"-' - 1) + 2"q«. • • Mi • l--^- 

^ 1$ (-.«A-Mi-2-«)-|.«> 

. . s - cy - p + s [(Ry)2— 1 Therefore, from Eq. (F8) 

The left side of the above equation becomes minimum Rl&O (Fm) 

when y3«0, apsA, PsP2=l2+ 1. « 

^ By Eqs. (F121) and (FI22) it has been verified that the 
/. -(S + A + (ij + I)) + s ((R>2— ] (Fiis) of ly is included in the range of Ry+ 1. 

Accordingly, the recurrence formula shown by Eqs. 
.-. -<s + A +02+ i))-2'" + ».Sy.|,xIM,.2-'-).2-SRy (FW) to (F19) r^)cat in Order j«l, l-l, . , . 2. 1, and R^ 

^ ^ 7< Ri-I. •••►Ri. Ri and I/, can be obtained. 

Next, Eq. (F75) to Eqs. (F90) and (F93) to substitute ^ ^^mr^v, « ^ ^ 

thereinto Eq. (FlSi CALCULATION OF R AND Q (EQS. (FI20) TO 

(F122)) 

The following equation is obtained by performing an 
[OV- o)2-"J - 73 + S + ^- + P < 0 0'H6) 30 0P«*>0« 

73«aior2 (FIIT) 

35 on both sides of Eq. (F20). 

^-(?|1SJvS0 ^'"^ Rl-RA+l-2^^ + M,X.i^Mv2f-»>^-«.SAM,.2^ + 

..[0V-«>2— l<yi-S-o^-P + «..., « •..«0M|-n.^l^|y.2tf-W 

The right side of the above equation becomes maximum . . 

when 73=2, a/«0, P»P|«.-i,. Accordingly, substituting R/+!»0, Bik~0, 6o«0 and 

M2 from Eqs. (Fl 1) to (F14) to the above equation, 

/. [01/ -ti>2-"J<2 . S + I| + 0*119) 

R| • Ml X M2 - n X Qi - 0^123) 

/. - ii<0 - %+ I,) . 2- + . 2- 

when 

. . Ry<n + a - S l|) . 2^" -t- «f - S(f.])]([M| . 2""1 . 2" 

SO Ql- i ii.jtf-w <P"^ 

By Eqs. (F115) and (Fl 19) it has been verified that Eq. 
{F19) holds. 

D CT A ^^i^T<.u,» wxr. . -■ ^ On the other hand, the following equation holds for the 

RELATIONSHIP BETWEEN RANGES OF R/+, quoUent Q and the remainder R^CMiXMj) -5- n. 
ANDR^((F15) AND(F19)) 
Next, the fact that the range of R/givcn by Eq. (F19) R-M|xM2-nxQ (fi2?) 

is smaller than the range of R/^.! given by Eo. fPlS) is » . . . 

shown usbg j+ 1 for j and fyji^B^^.yKin^ ^'"^ ^ <P»^> ^ <F1^9 f<>n^ ^ 

vaSSof^^"^^ "^"^ Ry+i-»PPcr Bmit ^ ii.it,...x«?-w (f,2q 

Since Q and Qi are integers, it b seen that the difference 
Rc;»a + t2.B^«i.S;i^Mi-a-a-S+)ii).2" - (Piao) between R and R| is an integral nniltiple of n. And R| 

ft ^-««« satisfies Eq. (F19X but I] and I2 are substituted thereinto. 

/. Rff- (S . 2* - 2*+l + n . tj - I| . 2-0 + " /.HS+A+[2^+»-|.2^2+lD2"+»^ofMi.2-*«). 

2-^- . BjtMt • 2-" . Bj,hii . 2—D ^"^l <i»+(2-S+l2^|+2fr2«+««M|4-T- 
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0^«AJMj2-'-l-2'-<n« holds from Substituting Eqs. (F136) and 

However, since 0<«*-oolMi'* J* j-' .... - muation is obtained takuig Eq. (rzvj into 

Efl (F9). the following equation can be obtained. following equauon b oo 

^ account 
-(S+A+r2^+»+2^+lI»"SR,<2n+a-S+ 

Then, the (bUowing equation is obtained from 2" XEq. Accordingly, it is understood from Eqs. (F16) md 

(FT) (F138) that Eq. (F29) holds. Incidentally, when Eq. 

„X4. 1 ,)L. ^ „ (F29) is used, S' is used, so that it is apparent that S is 

t-^r'*'***^*"*-*'***'* * * «F'») S2d i^t^of S in the theorem. 

»i ,n,-=««»*i C'*) Verification Of Corollary 2 

,,.s.pM...B.--<^..-^ S«bstitutingXinEq.(F23)int6Eqs.(F82)and(F83). 
From Eqs. (F127) to (F129) It follows that 

Further -2nS-2-**^'. 2"-^*Sn hold from Eq. x.(-.,-.H.2-"l<o 

(Fl) Bid, substituting them into the above equation, ^ . .aXn-J— lSX<(l/+iMn-i-1 ^^'"^ 

-to-Ki+i»)4-aRi<»»+<>-">*"+'" By substituting the minimum and the maximum value of 

1= i:« fPft -.-0 or 1 and. substituting it into the lyin Eq. (FIT) into the left and tiie right side, respec- 
^1^%"^^:^^^^^ ^vely. the fonowing equation -obtained. 

-2n<R|<2n+0— )-I-+n- t*""'* " _m«.I-lSX«I,+IM^-l 

Since tiie difference between R «id R, b « in!f8«j Substituting Eqs. (F30) and (F31) into the above eqoa- 

multiple of n, it is easUy ««> ft"? ^qs. ^»») tion. 
(F120 that Eqs. (F20) to (F22) hold. Thus. It has been 

«S^fiedti«tti.eti.eot«n holds. _2-t.2-lSX<2-.M-l 

VERinCATION OF COROLLARIES OF ln.2-"']<2*+ • holds: substituting it into 

rr^., . the above equation. 

Verificationof Corollary I 35 

FromEq.(F25) 

. R,..)2-l - lO-- <t.....)»-l * Next. Y is defined in the following m«.ner. 

((2^ By* IjdP-"1 + fl/J« 40 (FI4I) 

where. OSftj«=» Ll" »~"JJ 

From Eq. (F2«) ^p,^,, 

(FIJI) 4S Y . r X • V . 2-<**-* » 1 + »l 

(I>t34) Substituting v from Eq. (F33). 

where 

From Eqs. (F132). (F133) and (F134) Se«»« - - LirFSf J • " * *' < ' 

, - ,nx . r'"' „ 10 that the following equation is obtained taking Eq. 

((2» . iv*.»-l + KM, . Mijl . 2-1 - to* • uB 1 + M ^^^^^ .^^ 



**" Ct, ibrXkO 

where /ly-ft^K+^V. " ^-|^.,-.^X<0 

Setting Si => 1 -8/ and substituting Y, 
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(FI45) 4 
- 8;*forX £0 j-l 



"I P2 for I; a 



t„ T f|-6;»forXaO j-l 

t« • ^--1 J " ^ ' 5 performed on both sides of Eq. (F18)" to ohuin the 

following equation. 

r X n flX.v.2H*+»+l)j+ll6rXeO J?,«il/iXJtfj-»XOl' 

• • TTr^ I * ^ " I (X.v.2H*+-+l)) far X<0 

^ 10 where 

6/ =0. 1 and Ij in Eq. (Fl 6) to obtain Eq. (F32). Noct, 

Eq. (F19r is verified. Eq. (F75) is applied to Eqs. (F89) q,- « i (i^ + a/)2tf- 

and (F92) to substitute thereinto Eq. (F18)". J" 

«n,v. " It » evident that Eqs, (FZl)" and (F22)" holds m the 
+ IJ • - + s + a/ - --—I + PSO <F»^J^ same manner as Eqs. (F125) to (F131). 

where 73=0. I. 2 VerifK:atio« of Coroll«y^^ 

^ The conditions for which Eqs. (F35) to (F36) hold 

^ means that Eqs, (F90). (F92) and (F93) hold regardlew 

0 of whether 1/ b poative or negative and when Pi =0, 

^^A^tdingly, Eq. (FlOO) becomes as follows: PS 

Thereafter, the following equation is obtained in the 25 . „ ^ r c« rxm' 

sLc mam^ a. in the case of Eq. (F115) However, OSU uncondidonaUy hoWs fro^ 

Further, it is apparent that when I/<-2M|-2, Eqs. 
. w-iin (P9(yi and (F93) do not hold. 

-(s + A ^. (12 + >» -2- + • .eu-i>xfM, . 1-n . 1*" - ^ "-iiSV 

«r • * Similarly, Eq. (F109) becomes as follows: 
The left side of the above equation becomes minimum v<-2*+>+i+2«+S+A 

when6/=l.by whicto1teleftofEq^9y^^ 35 unoonditionaDy holds from Eq. (FT)'. 

Next. Eq. 0^5) « aPP^-J ^„Eqs. (F90) and (F93) to H^^^^^^^n I/>2x/i+2M2. Eqs. {F89) and 
substitute thercmto Eq. (FIB) . (F92) donot hold. 

l(Fy-. + «;.o)2-n-7J + S + *V— — l + P<« <P"^ 40 .Myah 

Wherein y^^O. \. 2 Next, since P»0 holds tn Eq. (F114X Eq. (FW)' holds 

wncrcm 73 ^ diecking the proof of the theorem foUowmg Eq. 

(F112) and it is evident that Eq. (F8)' is a precondition 
.0 45 of theorem. 



fP|lbrV< 

-^^Pj far 1,6 



0 Verification of Corollary 



(A) Lower Linut Value of V ^ 
Thereafter, the following equation is obtained in the /y=-2^i-l i« substituted mto Eq. (F18). 
s«nenunner«mthec«ofoM.in«gEq.(Fn9). „ ^^^^ ,^^»,,^^j^y,^<^^r^^ 

R,<o - w •• + 0 - s + ij)- y + itf-isJMi ■ J— 11- 

From Eq. (F12). JAySO. fub«titttting it into the above 
The right wde of Ae above equation becomes manmum equatioii, 
when 6.* =0, by which the right side of CF19)". S5 

Next, it is verified that Eq. (F«) is necessary. Set '^2f%+I5il^52i»ri!iS^^^ (Fi*e> 

Ri =(the lower limit value of Rd-(the lower limit +Kl-2-«* *«m»>+.^M,-I,H»)x 

value of R/+I). then Hwrefore. from Eqs. (F15) and (F3). 

(. . 2—-* - «) + 2-{l- . ^M, . 2— J- ^ ^ jj^ -2^1-1 In this 

(- . e^, . 2--) + -) case, Eq. (F19) holds ~to"My:. *h5s time, when ob- 
' 6S taimng R/ from Eq. (Pl«) with V--*^ir»' " 

T1.us.evide«.l».beengiventhatEq^"..ece. ^^^^^^^^^^^ 
sary. n« upper limit value remams michanged. Jj^SSislSSiatl^ 
Nejct, an operation ^ 
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larger than the lower limit value of Ry+ 1 shown by Eq. * data representing Mi-Mj/ is decreased, permitting re- 
(F15) because — A.n2-*— ti'nSO holds as the precon- duction of the circuit scale of the carry save adder 16. 

**7SuiwS? Value of 1/ Supplemental Description of Theorem 3 

7jfr=2^+'-f 2^/2— 2 is subtituted to Eq. (F18). Setting 5 A descriptioa will be given of the general arrange- 
2^+ls2^+2\ ment of a circuit for calculating the value of lyby Eqs. 

(F35) and (F36). Since this circuit arrangement b identi- 
^j^i^M-^^v^tf^fiiMi'^'i-v'Mi'ii/^ijji cal with that of the circuit for calculating the value of 

-(2 +2 +2^ii-2>f Q^j,y ^ j^^j described previously in Exam- 

« « - ... ^ pie 2, the latter will hereinafter be described with rcfer- 

From Eq. (F12), M2^^2*— 1; subscicutmg it into the pjQ ^ 

above equation. Pjq uiwtktes a quotient calculator 9" for calcu- 

+(M| -0X2"^- l)+D+a^M|^_ i)x <Fi4«) Signal Imes 601, 602. 603 and 604 mput therefrom van- 

IS ables R/+i> Mt, and n, respectively. In an AND 

Accordingly, from Eq. (F15) circuit S71 is obUined [6/Mi-2-'«l. An adder 620 per- 

R/<ii -(-«hM I (PI49) forms an operation {2Ry^ i -2 - «] + (8/M i-l- «] + 2. The 

last term +2 of this equation is generated within the 

Next, consider the case where adder 620. Circuits 621, 622 and 623 input therein n and 

2^+l+2^tiSI/£2*+'+2^i-"l holds. In this case, Eq, output therefrom [n.2-«], {— n-2"'"J and (— 2n-2-'"J, 

(F19) naturally holds. At this time, obtained from Eq. respectively. The output of the adder 620 and the out- 

(F18) setting Ij^t^-^ ^ +2Mi — 2, is found to be larger puts of the circuits 621, 622 and 623 are added by adders 

than the value (2^+i+2^tiS;l/&2Mi — t) of the first Ij ^25, 627 and 628, respectively, and the output of the 

by +n or +2n, but the upper limit value of Kj at that adder 620 is added with 0 in an adder 626. The adders 

time is defmed by Eq. (F149). 25 ^25 to 62$ each output therefrom a 0 or 1, based on the 

Accordingly, it is seen that the upper limit value of following calculation, depending on whether the sign of 

R/is smaller than the upper limit value of Ry+ 1 because a value I, 2, 3 fa positive or 0, or negative. 
t2*nS0 holds as the precondition for the corollary 4. 

Thus, evidence has been given that the corollary 4 ^ U%i+i i""l+l8/M|.2— J+KI-Q/Hi^-*n+2 
holds. ^ 

The output signs are indicated by signals QAl, QA2, 

Verirication of Corollary 3. QA3 and QA4, respectively. These signals QAl, QA2, 

It is evident that Eq. <F18) that Eq. (F19) holds, per- ***** appUed to a circuit 629, from which 

mitting the corollary 5 to hold. * ^ provided luued on logic shown in FIG. 

As described above, according to the present inven- " V' '^^F^l^JL'f.'^'^^? ^ '"^''^ Q/whicb satisfies 

tion. since (M| XMi^^n can be executed by performing <"^> "J"*^ ^\ ^" this way. the value Q^can be 

the multiplication and the divUion in parallel using the "^^^^ satisfies Eqs. (H2) and 
same clock, the quotient Q or/and the remainder R can 

be obtained at high speed. ANOTHER METHOD OF 

M..MVCALCULATOR MULTIPLICATION-DIVISION 

Concerning the mulUplication described in the theo- .w'^^'c^*"'*'^"^ will describe that the calculation for 

rem. supplemental explamition will be made below with cryptography can be performed even if the 

respect to the condition « =1. multiplier-divider which » a mam constrtuent of the 

In Eq. (FlO). setting I, the following equation is V^l!'''^!^? ^fJl^J- ^^^"f^ ^^"^ ^t!!. 
c^tained. another kind of multiplier-dtvider. A description will be 

given first of aiuither method of multiplication-division, 
Mi/^M2j-fy'^+S^^i}k * muHiffter-divider based on the calculation 

method and finally the arrangement of the cryptosys- 

A description will be given of the case where X— 6i ^ 

^Vaf and M^r are defined as foUows: ANOTHER METHOD OF 

ki -.5 MULTIPLICATION-DIVISION 

•»-2^-i>+4.r This multiplication-division is performed by a 

55 method which can easily be deduced from an ordinary 
+Mir?r rfi calculatk>n method. At first, the multiplication M| X 

'"*■ is executed and then the dtvbion (Mi XM2)-^n is per- 

A'^t— aKZ-ntlJ^+aM/-!)*! 2» ^ remainder. 

4'2^.i>40-2'' (A) Multipltcatton 

60 The multiplication Mi X Mi is performed in the fol- 
Then, My is as folk>wa: lowing manner. Let it be assumed that Z is a variable. 

Step 1: ZeO 

iifV-*'v»+*'Vfc+*'vc Step 2: The following operations are performed in an 

order jsl, 2, . . . I. 

M:^ M:^ and can be implemented by a circuit 6*5 

similar to that for Q/b. and described previously z-z-i-^i xsf^ 

in connection with the -Q^n calculator with reference 

to FIG. 62. With such an arrangement, the quantity of Step 3: Halt. 
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(B) DivisiOD 

A division 2-r-n is performed in the following man- 
ner. Here, R/ is a variable, and Z is represented as a 
binary number and divided equally into 2 1 every X bits 
and set as 2^ 



50 

-continued 



Step 4: 



10 



Step 5: The following operations are executed in an 
order jsl, 1— 1> • • • i. 



L=the effective length of n(2^-i<n<2^) 
Here, m, S and u are defused as follows: 

15 2^*2+2asS2^+» 

In this case, it is the same as in the afore-described 
20 method of obtaining ly by approximatiott that the fol- 
lowing holds: 

<V«Q^7> yj^tK I. or 2 

Step 6: RsRw halt. By steps 1 to 6. the remainder R Here, R/is divided into R/j and R/^ and 
of (Ml xM2)-^n can be obtained. 

Here, the range of R;^! in step 4 satisfies the follow- . 
ing condition. - ^ Rju 

^ " S Division Using <y 

This reason is verified by the following based on condi- ^ the as^ of using Q/ in place of the afore- 



tions 0:SMi<n and 02M2<n. 

Z « Ml X Mx< b2 
Therefore, OSR/+i-2'^<n2 and 



33 



described division changes as follows: 
Step 4': 



Step 5': The following is executed in the order J==l, 

40 1—1, • • • l> 



2*<n<2^ 
0 S R/+I < ■ 

For the verification, both sides of the equation of R/ are 
multiplied by 2C/-t>^8nd an addition of 

j-l 50 

is performed in respect of the multiplication result 

APPROXIMATION OF CALCULATION 
METHOD OF QUOTIENT Qf IN DIVISION 33 

The quotient can easily be obtained by a close 
approximation which involves omitting tn bits from the 
variable Ry.^. 1 as is the case with the calculation of the 
quotient Ij in the aforementioned simultaneous nuilti- 
plicatton -division and by a close approximation which 60 
involves multiplication using a redprocal of the divisor 
in the division. That is, the division is performed uang 
0/ deflned by the foDowtng equatbn, instead of Q/l 

65 

/'pc^x vxl— l + 1forX/6 0 
^*l,PC;X vX2"-llbrX/<0 



0/ _ (^POX V X 2-«l + I for39 1 0 
^ VP§XVX1-1 far35<0 

Stepti': 



Step T: If Ri^O, go to step 9* 

Step 8*: R|ssR|+n, go back to step T 

Step 9*: R»Ri Halt 
The above-described method of multiplicadon-division 
is called a "multiplication-division successive approxi- 
mating calculation method*** 

(D) Multiplier-Divider 

FIG. €8 illustrates the general arrangement of the 
multiplier-divider based on the nrotiltaneotts multiplica- 
tion-division operating method described previottsly 
with re^ to FIGS. 2 and 22 and Eqs. (3) to (24X A 
main adder llOjris an assembly of the main adders llOi 
to 110$ shown in FIO. 36, and a register 105jr is an 
assembly of the registers 105| to lOSg shown in FIO. 34 
and it has the function of shifting its content to left by 



steps of four bits. Ad Mi-M2> calculator 140jr is an as* tion with FIG. 69, the register lOSyis one that has the 

sembly of the calculators 140| to 140| shown in FIG, 37, function of shifting its content to the right by steps of 

and a ^Q*n calculator ISOxis an assembly of the calcu- four bits. The multiplication control signal line 21' is led 

lators 150] to 15^8 showa in FIG. 38. An adder 160^ is out from the slice section 258 and the direction of the 

an assembly of the adders 160i to 1608 depicted in FIG. 3 signal on this line is opposite to that on the signal line in 

39, and an adding register llOur is an assembly of the FIG. 71. The register 419 in each of the register sections 

registers ITO^i to 170^8 shown in FIG. 40. An adding 170cr and ITOj^y serves as a register equivalent to an 

register 170jr r is also a similar assembly of individual assembly of the register 104| to 1048 shown in FIG. 33. 

adding registers. Selectois 311rand 312jrare assemblies Because of such an arrangement, the calculation CnM« 

of eight selectors 311 and 312 shown in FIG, 61, respec- 10 nK>d n can be pcrfonned using the variables e, n and M. 

tively. An adder ISOjr is an assembly of the adders 180| i„ siraulteneous multipUcation-division method, it 

to 1808 shown m HG. 4- is also possible to calculate first M i X M v for each j and 

FIG. 69 aiustrates a multiplier^ivider based on the th^n perform the operation -Q/Xn. In this case, as 

multiplication^ivision by successive approximation. In shown in FIG. 69. a selector is provided between the 

FIG. 69 the parts corresponding to those in HG. 68 are 15 calculators 140rand 150^ and the adder 160jr in the 

identified by the same reference numwals. A selector arrangement of FIG. 68, and MiXMziand -Q/Xn are 

410 selects one of output signal hnes of the calcuUtors alternately supplied from the selector to the adder l€Ox 

140x and 150x and provides an output to a carry save f^j. j 

adder l^y. Switching control of the selector 410 is Furthermore, in the quotiem calculating unit 9, the 

eiTected by a signal on a control Ime 415. The carry save 20 nn-jation 

adder 160 y is identical in construction with the adder P^^*" 
160jr. A register lOSyis similar to the register lOSjrbut 

largely differs therefrom in that its content is shifted to f M| x M2j+ l^R/ i 1 

the right by steps of four bits. Register sections 170£r 9/ " I ^ ^ J 

and 170/tyare registers of 1024-bit length. As depicted 25 

in FIG. 70, the register sections 170£y and 170Ar are . H;™tlv r^mrfr^r^mM *i«#hr«.# r-l/vo. o««nn»i 

each formed by a series connection of a 5l4.bit legislcr ""f. ^ "^^^ performed without using close approxi- 

419 and a SlO-bit register 420 to constitute a I024*it "tJ!?" w • r w 

register as a whole. This register has the ftinction of AllJiough in the foregoing einbodimcnte tlic quotient 

shiftii^g its content to the right and left by steps of four 30 ca^cutotiiig umt 9 is provided indc^^^ 

bh (X«4)i The register 170y has connected thereto a * section 25 , tt is also powible to provide quotient 

signal line 421 for determining the direction of shift, a calcuhitors 9i to 98 m .the diced sections 25, to 25,, 

shift command pulse input signal line 422, a signal line respecUvely, as shown m FIG. 73. for example, and to 

423 for setting 0 in the content of the register, a register ^^^y quotient calcuUtor 9, for the calcula- 

input signal line 425 and a register output signal line 426. 35 ?on for cryptography, holding the others inoperative. 

In the arrangement of HG. 69. the calculation for ^«th such an anrangement. the cryptosystem of the 

obtaining the remainder of (M| X M^-i-n is performed P'^^*^ invention can be formed by eight LSI chips of 

as follows: At fust, the input signal line 411 of the selec- the same configuration and any separate LSI chips need 

tor 410 is selected, and the register sections 170t y and "^ot be provided for the quotient calculating unit Also it 

170j?rstore 0 first and perform the multiplication by the 40 possible to constitute LSIs including one part of the 

aforesaid method utUizing the function of right shift by quotient calculating unit 9, for instance, the post-proc- 

steps of four bits, thereby obtaining the value of Section 61 or pre-processing section 60, in the 

Ml X Ml on the register sections 170t y and 170iiy of respective sliced sections 25| to 25s, though not shown. 

1024.bit length. (MiXMi is represented as the sum of Conversely, since only one controller 8t in the sliced 

numbers stored in the register sections 170£y and 45 section 25| shown in FIG. 6 is made operative, it is 

I^O^rO possible to remove all the controllers $t to Os ^m the 

Next, the input signal line 412 of the selector 410 is respective sliced sections 25i to 258. and provide a sin- 
selected and (fafifiivision is carried out by the quotient Sic controller of an LSI chip for controlling the sliced 
calculators 60 and 61 in the aforementioned manner sections 8| to Ss and the quotient calculator 9. 
utilizing the left shift function of the registers 170£.rand 30 As has been described in the foregoing, according to 
170j« y. In this way, the remainder of the multiplication- the present invention, the cryptosystem for implement- 
division (Ml xM2)-»-n can be obtained. ing the RSA cryptograph CaM^ mod n can easily be 

FIG. 70 illustrates the construction of a register 170 y constituted through utilization of the present-day LSI 

comprising the register sections 170i:yand nO/^y. technology even if the value of n is extremely large. For 

FIG. 71 illustrates the general arrangement of an 55 instance, the RSA cryptography employs the value 
embodiment of the cryptosystem of the present inven- n » lOtOO to 10200 t^id, in this case, the circuit scale of the 
tion which employs the simultaneous multiplication- cryptosystem ts as large as lOOK to 200K gates. Accord- 
division method, and FIG. 72 shows the general ar* ing to the present invention, the cryptosystem can be 
rangement of another embodiment of the present inven- formed by a small-scale ROM and lO-to-30K-gate LSI 
tion which employs the successive approximating multi- 60 chips of the same configuratiott 
plication-division method. In FIGS. 71 and 72. respec- Furthermore, as will be appreciated from the forego- 
tive input and output signal lines correspond to those in ing, the value L-m is independent of the value L. Ac- 
the aforeniescribed drawings and shown at the same , cordmgly, the calculation by the quotient calculation 
positions. The register 420 in FIG. 22 corresponds to post-processing section is independent of the value L, 
510-bit-long register 420 in FIG. 70 which has the func- 65 that is, the number of digits of the value n; therefore* the 
tion of shifting iu content to the right and left by steps multipltcation-diviston RbM| X Mz mod n and the op- 
of four bits, and the signal line 21' is a multiplication eration CasM^and mod n can be performed increasing 
control signal line. As described previously in connec- or decreasing the number of sliced sections. In other 
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words, the lengths of the encryption keys (n and e) can said C by the respective calculations of said quo- 

casily be changed by increasing or decreasing the num- ticnt calculatmg unit and said ouin adding unit 

ber of sliced sections. 2. A cryptosystem according to claim 1 wherem first 

Besides, according to the present invention, the opcr- ^ second adding registers are provided as said adding 

ation spe«l can be increased by the simultaneous multt- 5 agister; said variable u divided into 1^.0 and 
phcation-division as described previously. lo this case, 
the main adding unit need not always be divided, that is, 

the arrangement shown in FIG. 68 may be employed. iki (R/ - ^ Ka^. 

It wiD be apparent that many modifications and varia* 

tions may be effected without departing from the scope \q 

of the novel concepts of the present invention. ^fi and R^i are stored in said first and second adding 
1 claim: registers; and said main adding unit performs the fol- 
1. An eneryptosystem in which inte;gen M, e and n lowing operatiott: 
(O^M<n) are applied to M*, e- and n-registers; vari- 
ables C and M2 are stored in C- and Mj-registers; the 13 j 
integer e being represented by M| x ^^2;^+ .x^J^-R^+y- <^-n 

f ^ ti-z' 3. A cryptosystem acconiing to claim 2 wherein said 

quotient calculating unit comprises a pre-processing 
20 section and a post-processing section connected thereto^ 

(C?=s 1 or Ok said pre-processing section being supplied with said n to 

the variable C is mitially set to 1; repetitive calculauons calculate f2«-5-fn-2-«D« v (m and u being constants) 
^ ^"^^w^ in acconJance with the follojj^^ Steps post-processing section being suppUed with 

(l)aiKl(2)forcachvaloeimAeorf^^ said IV+,, Mw M2/ and v to calculateQ/' by appro«. 

. . . 1, 0, m Step (1) an operation C— Mi XM2 mod n is 23 mationllittinir ^ j -fk « 

performed with Mi«C and M2«C; in Stq> (2) the 
valne of is checked and if eral. the operation 

C:=Mi xMj mod n is further performed with Mi -C i P^R/4.i^2-n+^l'lMiA,_,u+>2'.2-'^+s-xr 

and M2«M; and said repetitive calculations are com- i.o*'^"'-^*-'' J+j*jjIMi^-iix+*'2 ^ J+sx^ 

pleted with i^O, producing the last C in tibe form of 30 

CmM' mod n; . in the case of tf«0 and, in the case of ta^ 1, setting 

wherein a quotient calculating unit, a main adding 
unit and a controller are provided for perfonoing x 
the operation CbMi XM2 mod n, said nuin adding 1 ,^ „ ^ « ^ / * 

unithavinganaddingregisterforsloringavariable 35 iio^ |£o ' *tf-«)^+ai+2 + 

wherein, in onicr to perform the following operation «y-iix+2i+i • l^*^ + 2iQ^iyk^.v - 2^ - 2-"l + s » Xf 

in the order j=l, 1 - 1, 1-2, ... 1, thereby to obtain 
the last R] in the form of CKM1XM2 mod n: and setting as said 
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Q->-pryX vX2-*r+ tforX'yfiO 

07- pC^yX V X 2-*}forrv< 0 

where or 

45 

Afv - * •'^A + • 07- PC^ X V X 2-«l + 1 for X7> 0 



5Q (S being a constant and holding and S being 

AT}- X a|.2',6f-Oorl. ^ integer), and wheson compensating calculation 

'"^ means is included for obtaimng, from said Ri»Ri-t-d-n 

it/41 -0 and -.oori. which satisfies OS Ri 4- 5.n<n. 

4 A cryptosystem according to claim 3 wherein said 
where [] is a Gaussian symbol, [x] the largest pos»- 55 pre-processing section is a roemoiy vAudh is read out 
ble integer smaller than or equal to x, and X and 1 [n*2-'"] as its address. 

consUnts, said quotient calculating unh is con- . 5, A cryptosystem according to claim 2 wherdn Xe^l 
nected to said C-, M2- and n-reg^ters and said main ta^O; said quotient calculatii^ unit is means sup* 

adding unit and performs an operation P^ed with said M|, 6> n and R/^.i, for obtaimng an 

£0 approximate value Q/' of Q^sncfa that the cakulatiott 

result obtained by calculatnig 

r MixM*2y+2^R/+i 1 ^ I2R^+i-2-«]+[6/Mi.2-*]-IQrn-2-'"l whDe chan^ng 

L n J (^successively varies in sign with re^>ect to a referenoe 

value; and compensating calculation means is included 
said mam adding unit is connected to said quotient 65 for obtaining, from said R|, Rt+^n which satisfies 
calculating unit and said M^ and n-registett 02£R]+6«n<n (fi being an integer), 
and forms an operation Mi XM2y +2^R/+i-Q^ 6. A cryptosystem according to claim 3 or 5 wherein 
and said controller performs control for obtaiiting said main adding unit comprises an Mi-Ms^ calculating 
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section for calculating M1XM2;', a-Q^n calculating divided into every fixed width of their binary integcre 
section for calculating -<^"Xn, said first and second and sequentially applied to said sliced sections; said 
adding registers for storing variables R/+ 1.0 and R/+uu M^' and Q/ are applied to said sliced sections in corn- 
means for multiplying the contents ij) and R/+ u of mon to them; said sliced sections each perform a calcu- 
said first and second adding registers by 2\ a carry save 5 lation Rj^MxXMiJ -^l^Rj^i—QfXn for the M|, n, 
adder for adding together the resulting 2^-R/+i.o and Mi/ and Ry+i applied to them; and said sliced sec- 

2^R/+i.if calculated Mi XM2/ and the calculated tions are each connected to a higher-order one of them 
— Q^"X*n and storing the addition result in said first and via a connection signal line for applying thereto one 
second adding registers, and a carry propagation adder part of the result of said calculation, 
for adding two outputs from said carry save adder and 10 11. A cryptosystem according to claim 10, wherein 
storing the addition result in said C-register; said com- an adder for performing the addition in the calculation 
pensating calculation means comprises a selector for Rj^M\XMiJ ^l^Rj^x—Qj'Xn in each sliced section 
selecting one of the contents of said first and second is composed of a plurality of carry save adders; the . 
adding registers, R/+ 1.0 and R/>i.it and said 2^^— multi- number of bits of each of an input and an output signal 
plied values, 2^R/+i^ and 2^*Ry4.i,i, for input to said 15 line of said carry save adder is selected larger than the 
carry save adder, means for making zero one of M 1 and number of binary bits of the fixed width of said integers; 
lAiJ applied to said Mi-Miy' calculatuig section, means and means is included for supplying the most significant 
for setting —Q/ applied to said — Q/"*n calculating sec- one of b'mary bits of the fixed width of said integers on 
tionto + 1« and means for selecting 1,0 and Ry^uiby the low-order side in the output signal line of each carry 
said selector at the time of compensating calculation, 20 save adder to a corresponding one of the carry save 
making one of Mt and IA2J to be zero and — to be adders of the higher-order sliced sectioiu via a part of 
4-1, and activating said carry save adder and said carry said connection signal line, and for ^plying said most 
propagation adder to perform an opmtion Rt-hd-n. significant bit applied from the lower-order sliced sec- 

7. A cryptosystem according to claim 3 or 5 wherein t^ons to the corresponding carry save adder, for apply- 
said main adding unit comprises an M i-Miy calculating 25 \ b^ts of the last stage output signal line of said carry 
section for calculating MixMz/t a — Q/^n calculating save adder to the higher-order sliced section via the 
sectbn for calculating — Q/" X n, said first and second other part of said connection signal line to apply a signal 
adding registers for storing the variable Ry^ \j (i —0, 1)* of said X bits from the lower-order sliced section to the 
a carry save adder for adding 2^R/+ ly 0">0i 1) obtained last-stage output of said carry save adder. 

by multiplying IV+U 0— 0» 1) 2\ the calculated 30 12. A cryptosystem according to claim 10 wherein 
Mi'Mi/ and the calculated — Q/"'n and storing the said sliced section each include an Mz-regtster for input 
addition result in said first and second adding registers, therein said divided Mj. 

and a carry propagation adder for adding two ouq>uu 13 cryptosystem according to claim 12 wherein 
from said carry save adder and storing the addition said sliced sections each include a selector controUed by 
result in said C-register, and said compensating calcula- 35 ^^j^ ^ ^1^^ ^^e of said M and C for input to said 
tion means comprises a first selector for selecting either M^rcgister. 

the one output from said carry save adder or the content 44 cryptosystem according to claim 13 wherein 
of said C-register, a second selector for selecting either section each includes an M-registcr for stor- 

the other output from said carry save adder or n applied -^^^ divided M. 

to said -Q^n calculating section, and means for select- 40 cryptosystem according to claim 13 wherein 

ing the content of the C-register and the n by said first ^ ^^^^ sections each include an n-register for storing 
and second selector, respectively, during compensating divided n 

calculation, and activating said carry propagation adder ^ cryptosystem according to claim 13 wherein 

to perform an operation Ri -f , . ^ ^ . ,^ said sliced section each include an e-register for storing 

8. A cryptosystem according to claim 2 wherem said 45 divided e 

main adding unit compris^ an Mi-M:^ calculating sec- ^ cryptosystem according to claim 13 wherein 

non for calculating M| X M^, « -Q/-n cidcutating sec- ^^^^ ^^j^^^ ^ C-registeirfor storing 

tion for calculating — X n, said first and second add- ^ ^ divided C 

ing registers for storing the viable ^^uj- ^ <>) • ^ M. A cryptosystem according to claim 13 wherein 
carry save adder for adding 2^Ry^ , obtamed by multi- 50 ^H^edTections each include at least one part of said 

t^J^^X^l^^^^ .S^'cSTcul^on LTot ?:e>,o-/ 

!* ^ I 1 ^ J raucuiauon rauu oi ^.^^^ calculating sections of said sliced sections is made 

said — ^n calculatmg section and stonng the addition . . ^ 

result in said first and second adding registers, and a "Pf" . «^«««««r M.im iiih«»n*iffi 

carry prop.g«ion «U.er f<. aiding n«^o«tp«U fjom 55 ^.t^S^^eTS^ ^'"c^nS.!;:?^ 

said carry save adder and stonng the addition result in T -"^-^ , . j . „ r ^ -i: i 

said C-register ** controllers of said suced sections is 

9. A cryptosystem according to claim 8, further in- operable. w u w ^ a 
eluding a selector for selecting one of the calculation ^ ^ cryptosystem m which integers M, e and n 
results of said Mi-Mu calcuhtine section and said 60 (O^M<n) are applied to M,e and n registers; variables 
-CVn calculating sectfon and supplying the selected ^ and Mjare storwl m C- and Mi-regisieis; the mteger 
calculation result to said carry save adder, and means ^ represented by 

for adding the selected calculation result and said 

2^-R/+i and adding the addition result, for each. j. with ^ _ ^ ^ 

the other calculation result selected by said selector. 65 " M ' 

10. A cryptosystem according to claim 2, 3 or 5 

wherein said niatn adding unit is divided into a plurality (e/«0 or 1); the variable C is initially set to 1; repetitive 

of sliced sections of the same function; said Mi and n are • calculations are performed in accordance with the fol- 
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lowing Steps (1) and (2) for each value i in the order 
i==k, k-U k*i ... I, 0; in Step (1) an operation 
C^XliXM: mod n is performed with MjbC and 
M2==C; in Step (2X the value of ei is checked and if 
tf^ 1, the operation CmM}XM2 mod n is further per- s 
formed with Mi^C and Mj^M; and said repetitive 
calculations are completed with i^O; producing the last 
C m the form of CvM' mod n; 
said cryptosystem comprising a main adding unit 
including at least an M|*M2^ calculating section for \o 
calculating M\XMy, a —Q/^n calculating section 
for calculating — Q^"Xn, a selector for selecting 
one of the calculation results Mj-Mi^' and — Q/"-n, 
an adding register and an adder for adding the 
content of said adding register and the output of is 
said selector and stc^ng the addition result, in said 
adding register, a controller, and a quotient calcu- 
lating unit; 

wherein the main adding unit is controlled by said 
controller so that a 0 is applied as a variable Z to 20 
said adding register, said calculation result M i Mij 
is selected by said selector, an operation 
Z=Z^M\ XMi/ is performed in the order js= 1, 2, 
. . « 1 to obtain M|*M2b>Z, 



for calculating —Q/'Xn, a selector for selecting 
one of the calculation results MvMy' and — Cy'-n, 
an adding register and an adder for adding the 
content of said adding register and the output of 
said selector and storing the addition result in said 
adding register, a controller, and a quotient calcu- 
lating unit; 

wherein a 0 is applied as a variable Z to said adding 
register, said calculation result Mi-Mi/ is selected 
by said selector, an operation Z»Z+A/i xMiJ is 
performed in the order j^l, 2, . • . 1 to obtain 
Mi'MjwZ, then R/^.i of 



■I 



■X 
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is applied to said adding register, said calculation 
result — Q/"*n is selected by said selector, said quo- 
tient calculatmg unit comprises a calculating sec- 
tion for calculating Jry=[2^/l/2-"']+5 (S being a 
constant) and a calculating section for calculating 



(X being constant) is appfied to said adding register, 
said calculation result — Q^'-n is selected by said 30 
selector, and an operation Rj—l?^Rj^\^Zj^Qj*'n 
is performed in the order js=l, 1^1, . 1; 
wherein said main adding unit is divided into a plural- 
ity of sliced sections of the same function, said M 1 cr-P!/X»^2"1+' 
and n are divided into every fixed width of their 33 
binary integers and sequentially applied to said when, 
sliced sections, said Mj^' and Q" are applied to said 
sliced sections in oomm<m to them, said sliced sec- 
tions each perform said operations 
Z=Z-hAfiXilf2^' and /l82^/{/4>i+Z^--<2/'*'' for 40 
the M], n, Q^' and Mj/ applied to them, said sliced 
sections are each connected to a higher-order one 
of them via a furst connection signal line for apply- 
ing thereto one part of the calculation result and 
said sliced sections are each connected to a lower- 43 
order one of them via a second connection signal 
line for applying thereto the calculation result Rf. 
21. A cryptosystem in which integers M, e and n 

(0^ M < n) are applied to M, e and n register^ variables 

C and M2 are stored in C- and Mz-registers; the integer so 

e being represented by 



and said quotient calculating unit is controlled by 
said controller to calculate 



3^0 



when 



Xy<0 

or 

when *^ 

cy«lJ^xyx2-T 



35 



(e/sO or I); the variable C is mitially set to I; repetitive 
csJculations are performed in accordance with the fol- 
lowing Steps (1) and (2) for each value I in the order 
isle, k— 1, k*2, ... 1, 0; in Step (1) an operation 
CmMiXMj mod n is performed with M|s:sC and 
Mi^Q in Step (2X the value of e/ is checked and if 
e/«l, the operation CnMiXMj mod n is further per- 
formed with M]s=C and M2~M; and said repetitive 
calculations are completed with i e*0, producing the last 
C in the form of CsM' mod n; 
said cryptosystem comprising a main adding unit 
including at least an MfMa^ calculating section for 
calculating M] XM2yt a *Q^n calculating section 
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when 
X/SO 

and calculate Rj^l^Rj-j-Rj—Q/'-n in the order 
j=l, 1-1, ...1; 

wherein compensation calculation means is included 
for calculating, when Rt^O, Ri«Ri-ha until 
R|&0 is obtained; 

wherein said main adding unit is divided into a plural- 
ity of sliced sections dt the same function, said Mi 
and n are applied to said sliced sections while beix^ 
sequentially divided for each fixed width of their 
integers, said Mj/ and Q" are applied to said sliced 
sections in coounon to them» said sliced 
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4,514,592 



each perform said operations Z^.Z+Af\xM2j 
and Rj^l^Rj^i-^Zj-Q/^-n for the M|p n, Q/' and 
applied to them, said sliced sections are each 
connected to a higher-order one of them via a first 
connection «gna] line for applying thereto one part 
of the calculation result Z, and said sliced sections 
are each connected to a lower-order one of them 
via a second connection signal line for applying 
thereto the calculation result 
22. A cryptosystem according to claim 20 wherein 
first and second adding regbters are provided as said 
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10 



adding register, said variable R/is divided into Ryjband 



KjjQ and R/,i are stored in said first and second adding 
registers; and said main adding unit performs the fol- 
lowing operation: 



1 

i-O 



1*0 



15 



20 



25 



30 



33 



40 



45 



50 



55 



60 



65 



